specification based ids for the dnp3 protocol
play

SPECIFICATION-BASED IDS FOR THE DNP3 PROTOCOL NOVEMBER, 12TH, 2014 - PowerPoint PPT Presentation

Jan 25, 2023 •426 likes •746 views

ANNUAL INDUSTRY WORKSHOP NOVEMBER 12-13, 2014 SPECIFICATION-BASED IDS FOR THE DNP3 PROTOCOL NOVEMBER, 12TH, 2014 HUI LIN UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1

  1. ANNUAL INDUSTRY WORKSHOP NOVEMBER 12-13, 2014 SPECIFICATION-BASED IDS FOR THE DNP3 PROTOCOL NOVEMBER, 12TH, 2014 HUI LIN UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1 UNIVERSITY OF ILLINOIS | DARTMOUTH COLLEGE | UC DAVIS | WASHINGTON STATE UNIVERSITY FUNDING SUPPORTPROVIDED BY DOE-OE AND DHS S&T

  2. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state 2

  3. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state • Control-related attack : a sophisticated attacker can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states 3

  4. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state • Control-related attacks : a sophisticated attacker can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states 4

  5. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state • Control-related attacks : a sophisticated attacker can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states 5

  6. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state • Control-related attacks : a sophisticated attacker can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states 6

  7. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state • Control-related attacks : a sophisticated attacker can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states 𝑕 − 𝑄 𝑗 𝑚 = 𝑙 𝑊 𝑄 𝑗 𝑊 𝑙 (𝐻 𝑗𝑙 cos 𝜄 𝑗 − 𝜄 𝑙 + 𝐶 𝑗𝑙 sin(𝜄 𝑗 − 𝜄 𝑙 )) 𝑗 𝑕 − 𝑅 𝑗 𝑚 = 𝑙 𝑊 𝑅 𝑗 𝑗 𝑊 𝑙 (𝐻 𝑗𝑙 sin 𝜄 𝑗 − 𝜄 𝑙 − 𝐶 𝑗𝑙 cos(𝜄 𝑗 − 𝜄 𝑙 )) 7

  8. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G WHY DETECTION IS A CHALLENGE? • Hard to detect based solely on power systems’ electrical states – Traditional contingency analysis considers low-order incidents, i.e., the “ N-1 ” contingency – Traditional state estimation is performed periodically, detecting attacks after physical damage – Measurements may be compromised 8

  9. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G WHY DETECTION IS A CHALLENGE? • Hard to detect based solely on power systems’ electrical states – Traditional contingency analysis considers low-order incidents, i.e., the “ N-1 ” contingency – Traditional state estimation is performed periodically, detecting attacks after physical damage – Measurements may be compromised • Hard to detect based solely on the network intrusion detection systems – Commands can be encoded in correct syntax – Not detectable by traditional network intrusion detection systems (IDS) 9

  10. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G DETECTION DESIGN • Combine system knowledge of both cyber and physical infrastructure in the power grid – Integrate network monitoring with look-ahead power flow analysis • Detect malicious commands at their first appearances , instead of identifying power system’s physical damage after the fact 10

  11. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH 11

  12. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Cyber Infrastructure 12

  13. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Cyber Infrastructure • Adapt specification-based IDS for SCADA systems – Detect unexpected network activities based on predefined security specifications 13

  14. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Cyber Infrastructure • Adapt specification-based IDS for SCADA systems – Detect unexpected network activities based on predefined security specifications • Adapt Bro to support SCADA protocols – Develop DNP3 & Modbus Bro IDS analyzers in Bro’s for SCADA distribution – Collaborate with industry, i.e., Ameren, Abbot Lab • Use real network traffic from substations in Ameren to test the developed tools 14

  15. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Physical Infrastructure • Develop semantic analysis framework – Augment network IDS with power flow analysis Bro IDS for SCADA 15

  16. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Physical Infrastructure • Develop semantic analysis framework – Augment network IDS with power flow analysis – Monitor network payloads to identify control commands – Invoke look-ahead power Bro IDS flow analysis to evaluate for SCADA the physical consequence of a command’s execution Look-ahead Power Flow Analysis 16

  17. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Physical Infrastructure • Develop semantic analysis framework – Augment network IDS with power flow analysis – Monitor network payloads to identify control commands – Invoke look-ahead power Bro IDS flow analysis to evaluate for SCADA the physical consequence of a command’s execution – Monitor sensor Look-ahead measurements to identify Power Flow Analysis corruptions 17

  18. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G LOW LATENCY DETECTION • Classical AC power flow analysis calculates accurate system states with long latency 18

  19. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G LOW LATENCY DETECTION • Classical AC power flow analysis calculates accurate system states with long latency • DC power flow analysis introduces very little latency, but calculates very inaccurate system states 19

  20. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G LOW LATENCY DETECTION • Classical AC power flow analysis calculates accurate system states with long latency • DC power flow analysis introduces very little latency, but calculates very inaccurate system states • Adapt AC power flow analysis to balance detection latency and accuracy – Allow timely responses before system-wide propagation of malicious damage 20

  21. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G LOW LATENCY DETECTION • Classical AC power flow analysis calculates accurate system states with long latency • DC power flow analysis introduces very little latency, but calculates very inaccurate system states • Adapt AC power flow analysis to balance detection latency and accuracy – Allow timely responses before system-wide propagation of malicious damage • Adapt Newton-Raphson algorithm – Intelligently reduce the number of iteration for different control commands • Meet the trade-off between detection accuracy and latency 21

  22. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G EVALUATION: DETECTION ACCURACY • The test-bed configuration – Use the case files of IEEE 24-bus, 30-bus, 39-bus, and a 2736- bus system in Matpower to evaluate the adapted power flow analysis algorithm – Malicious changes: line outage, generation and load modification 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak Developed by Harris Corp,

Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak Developed by Harris Corp,

Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak Developed by Harris Corp, handed over to a vendor-neutral User Group in 1993. Many features have been bolted on, including security. Layered Architecture IED/RTU or

469 views • 24 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In previous parts of this chapter: Modeling behaviour with

773 views • 74 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In Part I of this chapter: Modeling with state machines and

1.8k views • 126 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author: Hojung Bang Affiliation: KAIST Address: 373-1, Kuseong-dong, Yuseong-gu, Daejeon, 305-701, Korea Abstract: In this paper, we summarized our experience

285 views • 6 slides
Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1

Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1

Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1 2011 c 1 Overview Basic terminology A view of faults through failure Systematic versus randomised testing A systematic approach to

492 views • 32 slides
Building a Literate Parser and Proxy for DNP3 Sven M.

Building a Literate Parser and Proxy for DNP3 Sven M.

Building a Literate Parser and Proxy for DNP3 Sven M. Hallberg, Sergey Bratus, Adam Crain Outline Parsers, security, and the

368 views • 33 slides
TCP Friendly Rate Control (TFRC): Protocol Specification RFC3448bis

TCP Friendly Rate Control (TFRC): Protocol Specification RFC3448bis

TCP Friendly Rate Control (TFRC): Protocol Specification RFC3448bis draft-ietf-dccp-rfc3448bis-00.txt S. Floyd, M. Handley, J. Padhye, and J. Widmer November 2006, DCCP Working Group Changes from RFC 3448: Incorporated changes in the

240 views • 4 slides
Implemen'ng a ver'cally hardened DNP3 control stack Sven M.

Implemen'ng a ver'cally hardened DNP3 control stack Sven M.

Implemen'ng a ver'cally hardened DNP3 control stack Sven M. Hallberg, Sergey Bratus, Adam Crain, Meredith L. Pa<erson,

886 views • 49 slides
Broadcast channels Adversary Central adversary (collaborating parties) Corrupts t

Broadcast channels Adversary Central adversary (collaborating parties) Corrupts t

Sum Protocol 2 Goal: Compute sum of inputs Protocol Specification 0. P i : input x i random r y 1 = r + x 1 y 7 Cryptographic Protocols 1. P i : send x i to TTP y 7 = y 6 + x 7 y 1 x i s = y 7 r y 6 2. TTP: y = Spring 2020 y 2 =

67 views • 4 slides
Integrating Workload Specification and Extraction for Model- Based and Measurement-Based

Integrating Workload Specification and Extraction for Model- Based and Measurement-Based

Stuttgart, Germany, 2014-11-27 Integrating Workload Specification and Extraction for Model- Based and Measurement-Based Performance Evaluation An Approach for Session-Based Software Systems Andr van Hoorn, Christian Vgele Eike Schulz,

1.02k views • 29 slides
Protocol-based Verification of Message-passing Parallel Programs Hugo A. L opez, Eduardo R. B.

Protocol-based Verification of Message-passing Parallel Programs Hugo A. L opez, Eduardo R. B.

t i f a r c A t * C o m * p l * t e n t e A e t * A s i W s E n L e o l C l S C D P * o * c O e s u u m E O e R e n v o t t d e * y s * a a E d l u e a t Protocol-based

543 views • 37 slides
Protocol Interconnection in Urban Traffic Coordination use case (demo) Georgios Bouloukakis

Protocol Interconnection in Urban Traffic Coordination use case (demo) Georgios Bouloukakis

Protocol Interconnection in Urban Traffic Coordination use case (demo) Georgios Bouloukakis Inria 1 st Review Meeting Brussels, February 11, 2016 Route planning: Choreography diagram Specification Specification sub-choreography diagram

315 views • 10 slides
An Adaptive MAC Layer Protocol for ATM-based LEO Satellite Networks An Access Protocol for Mobile

An Adaptive MAC Layer Protocol for ATM-based LEO Satellite Networks An Access Protocol for Mobile

An Adaptive MAC Layer Protocol for ATM-based LEO Satellite Networks An Access Protocol for Mobile Satellite Users with Reduced Link Margins and Contention Probability Marc Emmelmann (*) Hermann Bischl Fraunhofer Institute German Aerospace

611 views • 18 slides
TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for

TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for

TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for ensuring that data is transferred between two Intenret hosts based on a 32 bit address. To be ROUTABLE, a protocol must specify a NETWORK ADDRESS

899 views • 22 slides
Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1 Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the

375 views • 35 slides
System Architectures Using Network Attached Peripherals Rodney Van Meter USC/Information Sciences

System Architectures Using Network Attached Peripherals Rodney Van Meter USC/Information Sciences

System Architectures Using Network Attached Peripherals Rodney Van Meter USC/Information Sciences Institute rdv@isi.edu http://www.isi.edu/netstation/ USC Integrated Media Systems Center Student Council Seminar October 30, 1997 1 Talk

474 views • 31 slides
OSG GRid ACCounting system :: GRACC Derek Weitzel, Marian Zvada Elastic Workshop @FNAL,

OSG GRid ACCounting system :: GRACC Derek Weitzel, Marian Zvada Elastic Workshop @FNAL,

OSG GRid ACCounting system :: GRACC Derek Weitzel, Marian Zvada Elastic Workshop @FNAL, September 30th, 2019 GRACC - Mapping Jobs to ES Each job is mapped to a document in ES with ~60 attributes each GRACC receives 1.2M records a day

204 views • 16 slides
Rout e 1 M ult im odal Alt ernat ives Analysis Com m unit y Involvem ent Com m ittee M arch 18,

Rout e 1 M ult im odal Alt ernat ives Analysis Com m unit y Involvem ent Com m ittee M arch 18,

Rout e 1 M ult im odal Alt ernat ives Analysis Com m unit y Involvem ent Com m ittee M arch 18, 2014 Agenda 1. Introductions 2. Background and Process 3. Proposed Alternatives for Further Evaluation & Land Use Scenario Development 5.

1.03k views • 60 slides
Moving Smart Mobility Initiatives into Practice Ohio Transportation Engineering Conference Oct.

Moving Smart Mobility Initiatives into Practice Ohio Transportation Engineering Conference Oct.

Moving Smart Mobility Initiatives into Practice Ohio Transportation Engineering Conference Oct. 2-3, 2018 ABOUT THE CENTRAL OHIO TRANSIT AUTHORITY Nearly 19 million trips annually (60,000 daily trips) 562 square-mile service area

549 views • 22 slides
North King County Mobility Coalition Aug ugust ust 2020 Welcome! Review Agenda Welcome

North King County Mobility Coalition Aug ugust ust 2020 Welcome! Review Agenda Welcome

North King County Mobility Coalition Aug ugust ust 2020 Welcome! Review Agenda Welcome & Introductions Ice Breaker: What is one of your most unique skills? Announcements Announcements Weve hired a new mobility

1.06k views • 39 slides
Equity Survey Results www.envirometro.org @envirometro facebook.com/envirometro May 9, 2018

Equity Survey Results www.envirometro.org @envirometro facebook.com/envirometro May 9, 2018

Equity Survey Results www.envirometro.org @envirometro facebook.com/envirometro May 9, 2018 Speakers Omar Gomez Program Manager, Nature For All Fernando Cazares California Manager, Climate-Smart Cities at The Trust for Public Land Bryn

380 views • 27 slides
ADMIN Reading Chapter 8 Including RAID (8.2) but dont stress memorizing the levels

ADMIN Reading Chapter 8 Including RAID (8.2) but dont stress memorizing the levels

ADMIN Reading Chapter 8 Including RAID (8.2) but dont stress memorizing the levels Can skip 8.8 IC220 Set #19: Storage and I/O (Chapter 8) 1 2 Big Picture I/O Interrupts Important but neglected Processor The

415 views • 6 slides
1 Ring Topology Ring Topology In a ring network, every device has exactly two neighbours

1 Ring Topology Ring Topology In a ring network, every device has exactly two neighbours

What is a Topology? Network topologies describe the ways in which the elements of a network are mapped. They describe the physical and logical arrangement of the network nodes. The physical topology of a network refers to the

279 views • 4 slides

More recommend