Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta.

Published byEthen Stigger Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta."— Presentation transcript:

1 1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta Joint Research Centre (JRC) The European Commission’s Research-Based Policy Support Organisation Insubria University

2 2 Consequences of pervasive ICT in Critical Infrastructures New Attack Scenarios Public Network Supervisory Control and Data Acquisition (SCADA) Supervisory Control and Data Acquisition (SCADA) Today most of critical infrastructures depend highly on the underlying communication networks Today most of critical infrastructures depend highly on the underlying communication networks New Vulnerabilities New Risks

3 3 An Example: The ModBUS frame ModBUS serial frame ModBUS TCP/IP frame MBAP Header: Transaction Identifier Protocol Identifier Length Unit Identifier RS232 RS422/485 253 bytes + 1 byte + 2 bytes = 256 bytes (PDU) (sl. ADDR) (CRC) Max ADU 253 bytes + 1 byte + 2 bytes = 256 bytes (PDU) (sl. ADDR) (CRC) Max ADU 253 bytes + 7 byte = 260 bytes (PDU) (MBAP) Max ADU 253 bytes + 7 byte = 260 bytes (PDU) (MBAP) Max ADU

4 4 SCADA Protocols Vulnerabilities Unauthorized Command Execution Man-in-the-Middle Replay-attacks Repudiation …authentication… …integrity… …freshness…

5 5 Time-stamp SHA2 digest (256 bit) RSA signature on the SHA2 digest Secure Modbus Prototype DataFuntionMBAP TS ModBUS TCP/IP frame SHA2 (E-Modbus) E-Modbus pKM S-Modbus pkt

6 6 Considerations A secure protocol does not protect from the corruption of the traffic originator, i.e. the Master…

7 7 {data} PKm {TS|ModBUS} PKm {{{TS|ModBUS} PKm } PKt } SKt K-Survivable SCADA Architecture Attacks : Unauth. Com. Exec. Reply Attack Master infection Master-FU infection Attacks : Unauth. Com. Exec. Reply Attack Master infection Master-FU infection Slave Solutions : Signature Secure ModBUS Filtering Unit Multiple FU Solutions : Signature Secure ModBUS Filtering Unit Multiple FU Attacker FU Msg Attacker PKm = Private Key Master SKm = Public key Master TS = Time Stamp FU = Filtering Unit PKf = Private key FU SKf = Public key FU {{{TS|ModBUS} PKm } SKm {TS|ModBUS} Master Attacker DataFuntionMBAP TS ModBUS TCP/IP frame {TS|ModBUS} PKm { {TS|ModBUS} PKm } PKf {TS|ModBUS} PKm - Different Architecture - SO: Linux, windows - Different Architecture - SO: Linux, windows Scada FW

8 8 Open V2...Problem... R1: PKT(###) R2: PKT(#@!) R3: PKT(^&%) Cl. V1 Locally licit commands put the system into a critical state Locally licit commands put the system into a critical state PLC1 PLC3 PLC2 Filtering Cloud Alert ! Close V1 Close V3 PKT(###)

9 9 …but… ICT Signature based IDS Safety Analysis ICT Signature based IDS Safety Analysis ICT World Industrial World

10 10 State Based Approach (1) SCADA System Representation

11 11 State Based Approach (3) Critical State Representation IF ( PLC[ 10.0.0.1 ].HR[1] < 20 AND PLC[ 10.0.0.2 ].HR[2] > 70 ) THEN “The system is in a critical state” 0 100

12 12 State Based Filter Architecture

13 13 Loader: Virtual System Loader

14 14 IF ( PLC[10.0.0.1].HR[1] > 70 OR PLC[10.0.0.1].HR[2] < 20 ) AND ( PLC[10.0.0.2].CO[0] = 0 OR NOT PLC[10.0.0.2].CO[1] = 1 ) THEN ALERT Loader: Critical State Rules Loader PLC[10.0.0.1].HR[1] > 70 OR PLC[10.0.0.1].HR[2] < 20 PLC[10.0.0.2].CO[0] = 0 NOT PLC[10.0.0.2].CO[1] = 1 AND

15 15 SVI: Update System Manager Virtual System 1

16 16 SVI: Real System Synchronizer Virtual System Before Virtual System After Query Field Devices System Update

17 17 Analyzer: Critical State Analyzer Virtual System 1 IF ( PLC[10.0.0.1].CO[1] == 1 ) THEN ALERT

18 18 The Power system SCADA lab Contains: -Idrolab (+150 sensors/actuators) -Control room -3 SCADA systems Hardware and Software: -20 High Performance Servers -150 High End PCs and notebooks -10 Layer 3, 24 ports, gigabit switches -4 High Performance wireless switches -1 Nokia-checkpoint solid state Firewall -4 full network racks -18 km of network cables -300 gigabit network cards -A 100 KW cooling system -A 100 KW UPS system

19 19 JRC SCADA LAB. PLC - RTU Actuators Sensors Actuators Sensors

20 20 Test: Encryption Layer

21 21 Test: Packet Loss Master: sends 100.000 request packets of 260 bytes Slave: responds with 100.000 responses of 260 bytes Requests Sent100.000 Responses Sent100.000 Size Request315 bytes Size Response315 bytes Request Rate1 request sent each 1 ms Rate615,2 kbytes/s Packet Loss0

22 22 Test: Single Signature Rules Analyzer Num RulesAverage Time (on 1000 pkts) 100.0412618 ms 500.1495607 ms 1000.2486327 ms 5001.1152725 ms 10002.1427072 ms 20004.1623632 ms Master: sends 1000 request Slave: responds with 1000 responses Filter: captures the messages and checks if they are licit, according to a rules file which contains n-rules.

23 23 Test: Virtual System Update Num CoilsAverage Time (on 1000 pkts) 10,0012168 ms 500,0030485 ms 1000,0044824 ms 5000,0173109 ms 10000,0334344 ms 20000,0624535 ms Master: sends 1000 request with the command “Read n-coils” Slave: responds with 1000 responses which contains the n-values. Filter: captures the request/response transaction and updates the n-values in the Virtual System.

24 24 Test: Critical State Rules Analyzer (1) Num ConditionsAverage Time (on 1000 pkts) 20,0204746 ms 160,0301169 ms 640,0550301 ms 1280,1206957 ms 2560,2127598 ms 5120,4226185 ms 10241,0706136 ms Master: sends 1000 generic requests Slave: responds with 1000 responses Filter: captures the req/res transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains only one rule with n-conditions.

25 25 Test: Critical State Rules Analyzer (2) Num RulesAverage Time (on 1000 pkts) 100,1123061 ms 500,5153591 ms 1001,0248889 ms 5002,6010271 ms 10005,0175991 ms 20009,9285867 ms Master: sends 1000 generic requests Slave: responds with 1000 responses Filter: captures the request/response transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains n-rules.

26 26 Thousands of devices to monitor Hundreds of Subsystems Geographically sparse systems System of Systems Impossible to analyze states on a single level Impossible to analyze states on a single level

27 27 Future Works –Abstract Aggregation –Critical State Prediction –Critical State Prediction based Firewalls –Lightweight Cryptographic mechanisms for SCADA protocols

Download ppt "1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta."

Similar presentations

Arctic IEC-104 Gateway Jari Lahti, CTO.

Arctic IEC-104 Gateway Jari Lahti, CTO.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Supervisory Control & Data Acquisition Communication Technology Modbus Protocol.

Supervisory Control & Data Acquisition Communication Technology Modbus Protocol.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.

Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
NETWORK SECURITY.

NETWORK SECURITY.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Similar presentations

Ads by Google