Take aways Industrial control system networks are not commonly air gapped.. Industrial control systems can be infected by malware. An electronic security perimeter alone is insufficient protection. Need a defense in depth approach.
Risk Assessment Should consider likelihood of attack cost of attack impact of attack Compared to cost of prevention likelihood of prevention
MSUECE 8990 Smart Grid Interruption (Denial of Service) An asset of the system is destroyed of becomes unavailable or unusable Attack on availability Destruction of hardware Cutting of a communication line Disabling the file management system May not be physical destruction. May be temporary.
DOS Prevention Monitor and react Monitor network traffic for DOS attacks Close offending ports Is it OK to close a network port in an ICS network? Test devices for vulnerability ○ Protocol mutation (fuzzing) ○ Known attacks ○ Floods Share results (ethically) Force vendor to patch
MSUECE 8990 Smart Grid Interception An unauthorized party gains access to an asset Attack on confidentiality Wiretapping to capture data in a network Intercepting a password -> bad Intercepting a password file -> worse Intercepting ICS data from an RTU. Is that bad?
MSUECE 8990 Smart Grid Modification An unauthorized party not only gains access but tampers with an asset Attack on integrity Change values in a data file Alter a program to make it perform differently Modify content of messages transmitted on a network man-in-the-middle (MITM)
MSUECE 8990 Smart Grid Modification Modification in ICS -> very bad Feedback control uses ○ sensors to monitor physical process ○ Controllers to control the physical process. Modifying measured output, measured error, system input, or reference affects system output.
MSUECE 8990 Smart Grid Modification Need to defend the sensor. Need to defend the device which measures error. Need to defend the controller. Need to defend the communication network.
MSUECE 8990 Smart Grid Fabrication Unauthorized party inserts counterfeit objects into the system Attack on authenticity Insertion of spurious messages in a network Addition of records to a file ICS – insertion of spurious/unwanted/unauthorized control ICS – adding data to a historian
Network Intrusion Detection for Industrial Control Systems Physical Wireless IDS Not much at this level Network, Transport Detect well known attacks ○ Tear drop, LAND, port scanning, Ping Common protocol rules ○ TCP, IP, UDP, ICMP Application Layer Detect protocol mutations Detect protocol specific DOS attacks Model Based IDS to detect system level attacks ○ measurement injection ○ command injection ○ system state steering Physical Data Link Network Transport Application Most of our work is here.
IDS Framework for Synchrophasor Systems Synchrophasor systems being installed across country by utilities with ARRA grants Improved electric grid visibility ○ Detect disturbances sooner Wide area protection ○ React to disturbances quickly to limit outage IEEE C37.118 - Synchrophasor Network Protocol Need to develop Snort rules to Protect against IEEE C37.118 protocol mutation type attacks Detect reconnaissance, DOS, command injection, and measurement injection attacks Read Spraberry has identified approximately 36 rules and is writing and testing now.
IDS framework for MODBUS Reviewed MODBUS specification and developed a fuzzing framework. Using fuzzing framework to guide rule development. ○ Rules for specific frame types ○ Function codes in frames define payload contents ○ Rules based upon relationships between frames query and response must match ○ Response special cases – exception frames match defined exceptions to query function code and error types 50 rules in development Snort IDS Framework ICS network
1.Radio Discovery < 24 hrs. 2.Infiltration < 30 days 3.Data Injection or Denial of Service Attack 4.Broken Feedback Control Loop Example Attack Wireless Link
SNORT Intrusion Detection for Industrial Control Systems MTU pump relief pipeline RTU control logic Set Point System Mode Control Scheme Pump Override Relief Override PID Setpoint PID Gain PID Reset PID Rate PID DB PID CT Output Pump State Relief State Pressure tap Detect Attacks Command Injection Measurement Injection Reconnaissance Denial of Service Snort
Cybersecurity Testing and Risk Assessment for Industrial Control Systems
Denial of Service Known attacks High volume traffic Protocol mutation Device Security Assessment Security features Standards conformance Port scan Vulnerability scan Confidentiality, Integrity Password confidentiality Password storage Man-in-the- middle Many vulnerabilities identified and communicated to vendor and project partner. All addressed Firmware fixes New security features System architecture changes
CIPC Lab Growth Continue to add systems Currently designing SCADA lab upgrades to increase diversity and complexity. Needs RTDS Expansion Achilles Satellite Security Analyzer
Center for Computer Security Research National Forensics Training Center Critical Infrastructure Protection Center Cyber Security Education Information and Computing SecurityComputer Crime and ForensicsNetwork Security and CryptographyIndustrial Control System SecurityAdvanced Network SecurityAdvanced Digital ForensicsTrustworthy ComputingInternet Security Protocols Scholarship Programs NSF Scholarship for Service DOD Information Assurance Scholarship National Center of Academic Excellence in Information Assurance Education National Center of Academic Excellence in Research
Identify vulnerabilities, implement attacks, investigate impact on physical systems. Develop security solutions; system protection, intrusion detection, attack resilience Train engineers and scientists for control systems security careers. Cyber Security Industrial Control Systems Critical Infrastructure Protection Center
Tommy Morris Asst. Prof. Director, CIPC Industrial Control System Security Ray Vaughn V.P. Research Giles Distinguished Professor Software Engineering and Computer Security Dave Dampier Professor Director, CCSR Computer Forensics Malingham Ramkumar Assoc. Prof. Trustworthy Computing Yogi Dandass Assoc. Prof. Root Kit, Hypervisor Detection Wesley McGrew Research Associate Human Machine Interface Security, Software Vulnerability and Exploitation
Read Sprabery BS CPE Jeff Hsu BS EE Uttam Adhikari PHD ECE Wei Gao PHD ECE Shengyi Pan PHD ECE David Mudd MS ECE Quintin Grice MS ECE Joseph Johnson BS EE Lalita Neti MS ECE Robert Gosselin BS EE