Presentation on theme: "Dissertation (Phase II) Dissertation (Phase – 2) Presentation On: Detecting Network Attack Vectors On SCADA Specific Network Operating On Modbus TCP/IP."— Presentation transcript:
Dissertation (Phase II) Dissertation (Phase – 2) Presentation On: Detecting Network Attack Vectors On SCADA Specific Network Operating On Modbus TCP/IP Protocol PREPARED BY: Neel H. Pathak GTU ITSNS  GUIDED BY: Prof. H. B. Patel Asst. Professor at LCIT, BHANDU
Outline Introduction What, How, Why and Where of SCADA Systems? Problem Description Background and Reason to choose such Topic (Motivation) Objectives and Scope of Work Literature Survey Issues Modbus Protocol Modbus Protocol Structure Vulnerability in Modbus TCP/IP C-I-A and Related Study Proposed Solution Proposed Solution Flow Diagram Functional Description How my proposed solution is different from others? Implementation Details Designing of Network Network Diagram(Internal & External) Comparison, Analysis and Testing Results Comparison with popular NIDS Conclusion and References
Introduction: WHAT are SCADA systems? Supervisionary Control and Data Acquisition (SCADA) systems are used for automation purposes in Chemical Plants, Oil and Gas plants, Power stations, Water Distribution etc. A part of ICS (Industrial Control Systems) and Different form DCS (Distributed Control System) Combination of Telemetry and Data Acquisition  Often a misunderstood term
HOW SCADA system communicates? Third generation SCADA systems consists of the following components . Field Instrumentation (Sensors and Actuators) Remote Stations (RTU`s or PLC`s) Communications Network ( Ethernet, radio or Leased Line) Central monitoring station. ( HMI/MMI ) Figure adopted from SCADA Primer 
Typical SCADA system. Figure adopted from SCADA Primer 
Current SCADA systems. Figure adopted from “Defcon 2011” 
WHERE SCADA Systems are used?
SCADA System categories SCADA systems can be broadly classified into three categories/generations . 1.Monolithic Independent stand-alone systems. This is what EC engineers refers to. 2. Distributed Connected in LAN for real-time information sharing 3.Networked Connected with other networks and the Internet. This is what we refer to.
Problem Description SCADA systems were not designed keeping security in mind. Analogy security, Functionality and ease of use triangle. Bears more importance then other Information Systems. Legacy Protocols like Modbus is now wrapped with TCP/IP functionality. Modern SCADA systems are connected to network of the networks i.e. INTERNET. Little tampering to such systems can even cause LOSS OF LIFE and other casualties. Do you remember the Al-Queda Attack ? And the recent STUXNET worm?
Problem Description Much research has been carried out to detect network attacks from external networks, but what about the network attacks which takes place within the secured periphery of such systems? Such attacks (called as “insider attacks”) are also of paramount importance to be thought of.
Problem Description Survey conducted by SANS Institute in Feb. 2013
Background And Motivation BACKGROUND SCADA systems being Critical Infrastructure Systems are of prime target. Cyber terrorists, hackers and state sponsored attacks by professionals. Al-Queda Attack , Siberian Pipeline Explosion , Iran`s Nuclear Plant (STUXNET) worm , Common Wealth Games (CWG)  and many such attacks. Motivation Designed to be fail safe systems , no security in mind at that time. Critical Infrastructure systems, if able to detect network attacks then to much extend casualties can be prevented and will be better for society as whole.
Aim, Objectives and Scope of work AIM ?? OBJECTIVES ?? SCOPE OF WORK ??
Literature Survey: HOW SCADA Systems are different ? Business IT Systems/ IT Systems SCADA Systems Not real-timeReal-time basis Correctness of InformationResponse time is critical Delay AllowedBig problem by delay Data integrity is importantUser`s security is important Task loss by data corruptionHuge economic loss or casualties Restoration by rebootingContinuous operation required. Table adopted from 
Literature Survey: Issues to consider in SCADA system  How to Audit and What to Audit? Patching the SCADA systems are not so easy Knowledge gap between SCADA personnel and IT engineers.
Modbus TCP/IP Protocol and its Structure . Modbus Suite Developed in 1979 by Modicon. Free and Open Source and widely used. Modbus protocol suite popularly used in Oil and Gas  sectors. This suite is further broken into two main versions. Modbus Serial Modbus TCP Each protocol provides functionality of unicast and multicast
Modbus Protocol Fn Code : 1 – 127, Data: Sub-fn codes and Instruction for registers to read/write, Error Check : Uses CRC Figure adopted from “Defcon“ 2011
Function And Sub-Function Codes Figure adopted from modbus.org [Dt. 29/11/2013]
Modbus TCP Protocol Comm. Stack Figure of Modbus TCP/IP Communication Stack (from )
Modbus TCP/IP Packet Figure of Simple Modbus TCP/IP Packet Captured From Wireshark
Modbus TCP/IP Protocol Vulnerabilities Lack of Authentication. So, no way to find who sent Modbus Packet. No way to measure the integrity of Modbus TCP/IP protocol. Un-encrypted Communication Moreover, the content was seen within protocol in plain hex.
CIA Triad, Confidentiality has less impact Confidentiality Integrity Availability Typical Business systems deal with C-I-A triad but in SCADA systems I-A-C triad .
HOW security posture of SCADA network can be improved ? Improvement in Protocol Follow defense in depth for securing SCADA network Stable standards Intrusion detection system which detects network attacks efficiently.
Accurate Modeling of Modbus TCP/IP for Intrusion Detection in SCADA Systems, (Jan, 2013). Tel Aviv University. [Paper -1] Functional Description: Based on the fact that Modbus Traffic to and from HMI-PLC is highly periodic. Author has modeled each HMI-PLC channel by its unique characteristics. NIDS is based on anomaly based detection method. Sensitive in nature. Towards Periodicity Based Anomaly Detection in SCADA Networks  (IEEE, 2012) [Paper - 2] Functional Description: Intrusion detection is based on the fact that the traffic is between HMI-PLC is highly periodic due to polling mechanism. Proposed an approach that exploits traffic periodicity to detect anomalies, which represents potential intrusion attempts.
HMI-PLC1 Network Traffic Graph (Packets Vs Time) HMI-PLC2 Network Traffic Graph (Packets Vs Time)
Cons: PAPER-1 and PAPER-2 Both the papers are based only on polled communication mechanism of HMI-PLC SCADA System. What if interrupt based SCADA system is used? Paper-1 Models every HMI-PLC channels traffic and proposes anomaly based detection NIDS. But, we know that in anomaly based NIDS there is high possibility of FALSE POSITIVE. As the anomaly behaviour is solely based on the traffic periodicity then any attacker following traffic periodicity may inject malicious communication Modbus packets.
Modbus/DNP3 State-Based Filtering System(IEEE, 2010)[PAPER-4] Functional Description: System aims to detect attacks composed of set of “SCADA” commands. Proposed IDS can detect complex attacks based on “to be” state of system. Ex. of critical state: PLC1.C23 = 0 and PLC2.C17 -> ALERT On SCADA Control System Command and Response Injection and Intrusion Detection  (IEEE, 2012) [PAPER-3] Functional Description: A set of command injection, Data injection and Denial of service attacks are used as features of attack traffic to train Intrusion Detection System forming a neural network. Normal traffic is collected to establish a baseline and detect an anomaly. CONS: Few type of attacks are used to check its effectiveness.
Proposed Solution Here, we propose an efficient solution to detect network attacks both within internal periphery and from external network which will make use of Sequencing and Directional Analysis (SADA) Module, Deep Packet Analysis and White Listing Module (DPAWM). It is basically divided into five phases, they are as follows: 1.Capture raw network traffic. 2.Filtering SCADA specific traffic. 3.SCADA protocol Analyzer. 4.Analysis of captured traffic (three modules SADA, DPAWM and CSDM) 5.Notification generation and Alerting
How my proposed solution is different? My proposed solution has a layered approach to detect network attacks/Intrusions in SCADA network. WHY??? Proposed solution make use of WHITELIST signature BASED NIDS. WHY??? Identified more then 20 (22 to be precise) whitelist signatures for Attack Detection. Deep packet analysis is done ( Thanks to SCAPY ). So, it prevents TCP VETO attack. Based on my research proposed NIDS may also be used for commercial purpose as well.
Experiments: REPLAY-ATTACK Primary Application: Modbus Poll Master from http://www.modbustools.com Works on Modbus TCP/IP protocol. freeware application used to understand the working of Modbus TCP/IP protocol. Built with Modbus TCP/IP specification. Utilities used to perform experiment: Modbus Poll Master, Modbus Slave, Wireshark, VM Ware Workstation, Colasoft Packet Builder, Playcap and packit. DENIAL-OF-SERVICE ATTACK Experiment was done to check denial of service attack from the tool modscan available at https://code.google.com/p/modscan
Implementation Details: Implementation Environment: UTILITY/TOOL/HardwareDESCRIPTION Modscan, PlayCap, Tcp-replay, Packit and Cola Soft Packet Builer To generate attack scenario WIRESHARK and TCPDUMPFor Packet analysis and to collect Whitelist signatures. Modbus Poll Master and Modbus SlaveApplication that works on Modbus TCP/IP to study its behavior Oracle`s Virtual BoxFor emulating real network. Bash, Python 2.7.3 and SCAPY 2.1.0Python language to implement Taylor Made NIDS and SCAPY for packet sniffing and manipulation. BeagleBone BlackHardware to implement all modules and testing if feasible.
Network Design (External and Internal)
Static Interfaces for Gateway Firewall ExternalInternal
ARP-Static binding to prevent MITM Static ARP Binding at Gateway Firewall
SCADA Internal Network Scenario
Modbus Poll (HMI-PLC1 and HMI- PLC2)
Web-based One Click Gateway Firewall
SCADA Protocol Analyzer (PSEUDO CODE) Result=0 [Result Flag to Check Condition at last] pkts = sniff(count=500) [Sniffing all the 500 real time packets in PROMISCOUS Mode] protocol_analyser(pkts): [Protocol analyzer module] proto_legitimate = 0 1.Looping through each and every packet on real time. proto_legitimate=0 [Flag to check legitimate protocol] 2.Compare each and every packet with predefined condition. If any condition fails, then proto_legitimate=1 3.If proto_legitimate == 1 [That means that protocol is not crafted properly] LOG that packet to Blacklisting Signature Database, Result = Result + 1 Raise an ALERT
4. If Result > 0 do not process further modules exit else: process further modules
SCADA Protocol Analyzer Snapshot of Anomalies Found for Malicious Modbus Packet
Sequencing And Directional Analysis Module Researchers have found that Modbus TCP/IP traffic is highly periodic and predictable in nature but, if we look at the traffic we can come to know that not only traffic is highly periodic but also SEQUENCE OF PACKETS for communication is also highly predictable. This nature of predictable sequence of HMI-PLC communication is modelled into SADA module. So, we look for IP address along with its MAC address and TCP Seq and ACK numbers to check sequence.
HMI-PLC1 Sequence Analysis
Deep Packet analysis and Whitelisting Module (DPAWM) We have Identified more than 20 (22 to be precise) parameters that forms whitelist signature. Currently 2 among 7 whitelist signatures are modelled. Total 22 parameters major among them are: Slave ID TCP Flags PSH/URG Transaction ID Length of Frame and Modbus Packet Function Codes Word Count and Byte Count And most importantly Modbus Data field (Most imp. parameter)
Critical State Distance Module and Tunable Parameters Work done in  is used to calculate Critical State Distance for early Critical State Detection. An xml file is used for tuneable parameters such that one can change the data parameters to monitor.
Comparison, Analysis and Testing Results In order to measure the effectiveness of our proposed solution, we have considered many parameters and compared it with the “nearly” existing system. The term “nearly” is used because no such solution till date has been proposed which deeply checks for Modbus TCP/IP protocol with whitelist signatures. We have used a very popular NIDS for our comparison, THE SNORT NIDS.
Performance w.r.t CPU resource utilization
Performance graph (gnuplot+atop) SNORTOur NIDS
Consideration of other important factors 0-day Detection TCP VETO DETECTION (Probable) Deep Packet Analysis Check (also includes Physical + Datalink layer) False –ves and False +ves BITW?? (Update-rc.d -f +/etc/init.d/ +.conf files + bootup manager) Early detection
Packet level comparison between SNORT and Our Proposed Solution Modbus TCP/IP SNORT NIDSOUR PROPOSED NIDS Data Packets5000 Actual Attack Packets950 Alerts2033977 False +ve108484 False –ve*19-*66*13-*17 Packets Received46964451 Packet Loss302549 Ubuntu 12.04 LTS, 32 bit, 3.7 GB RAM & Core i3 CPU @ 253Ghz x4
Comparison with other parameters SNORTOUR PROPOSED NIDS Installation/DeploymentMediumVery Easy New Attack DetectionNo (until sig. updated)Yes Configuration LevelMediumEasy (Just one xml file) Packets Loss302549 Crafted Packet DetectionNoYes Integration with other H/WMedium (requires good processing power) Easy
Conclusion Security in/for SCADA system/network shall be pro-active in nature rather then reactive Besides considering the network attacks from external network, one must also consider attacks within secured periphery of these controlled system. Considering such issues we have proposed an innovative and hybrid approach to detect network attacks thereby designing a practical NIDS. We have successfully validated our approach by implementing certain attack vectors to detect odds in SCADA network.
We have tested our proposed mechanism in specific scenario and are satisfied with the results as they were as expected. However, we have not tested our proposed mechanism in real environment. Conclusion (conti..)
References  A. Robert (2013, Oct. 5). SCADA Primer [online] Available: http://www.micrologic.ph/primers/scada.htm http://www.micrologic.ph/primers/scada.htm  G. Thomson(2013, Oct. 5). Cyber-Attacks by Al Qaeda Feared [online] Available: http://www.washingtonpost.com/wp- dyn/content/article/2006/06/12/AR2006061200711.html http://www.washingtonpost.com/wp- dyn/content/article/2006/06/12/AR2006061200711.html  Miller, B., & Rowe, D. A survey SCADA of and critical infrastructure incidents, 2012.  Zia Saquib, IEEE SCADA conference, Mumbai 19 Oct. 2013.  Rosslin R and Min-Kyu Choi, “Assessment of the Vulnerabilities of SCADA, Control Systems and Critical Infrastructure Systems”, International Journal of Grid and Distributed Computing, June 2009.  Kim, S. A Study on Optimization of Security Function for reducing Vulnerabilities in SCADA, 65–69.
 Ganesh Devrajan (Oct. 5th), Unraveling SCADA Protocols: Using Sulley Fuzzer. Defcon 2011 [online] Available: www.defcon.org%2Fimages%2Fdefcon-15%2Fdc15-presentations%2Fdc-15- devarajan.pdf  V. M. Igure, S. A. Laughter and R. D. Williams. Security issues in SCADA networks. Computer Security 25(7); pp. 498-506. 2006  Hayes, G., & El-khatib, K. Securing Modbus Transactions Using Hash-Based Message Authentication Codes and Stream Transmission Control Protocol, 179–184. 2013  Kang, D., Lee, J., Researcher, S., Kim, S., & Park, J. (2009). Analysis on Cyber Threats to SCADA systems, 1–4.  Zhu, B., Joseph, A., & Sastry, S. (2011). A Taxonomy of Cyber Attacks on SCADA Systems. 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, 380–388  Bagaria, S., Prabhakar, S. B., & Saquib, Z. (2011). Flexi-DNP3: Flexible distributed network protocol version 3 (DNP3) for SCADA security. 2011 International Conference on Recent Trends in Information Systems, 3, 293–296.
 Urias, V., Van Leeuwen, B., & Richardson, B. (2012). Supervisory Command and Data Acquisition (SCADA) system cyber security analysis using a live, virtual, and constructive (LVC) testbed. MILCOM 2012 - 2012 IEEE Military Communications Conference, (Lvc), 1–8.  Li, G.-W., Ju, W.-Y., & Shi, D.-Y. (2012). Functional Vulnerability Assessment of SCADA Network. 2012 Asia-Pacific Power and Energy Engineering Conference, 1–4.  Byres, E. J., Franz, M., & Miller, D. The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems.  Kim, S. A Study on Optimization of Security Function for reducing Vulnerabilities in SCADA, 65–69.  Rautmare, S. (2013). SCADA System Security.  Bureau Of Indian Standards [online] Available: http://www.bis.org.in  Carcano, A., Nai Fovino, I., & Masera, M. (2010). Modbus/DNP3 state-based filtering system. 2010 IEEE International Symposium on Industrial Electronics, 231–236.  Morris, T., Reaves, B., & Richey, D. (2012). On SCADA control system command and response injection and intrusion detection. 2010 eCrime Researchers Summit, 1–9.
 Verba, J., Box, P. O., & Falls, I. (2008). Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System ( SCADA IDS ), (208).  Barbosa, R. R. R., Sadre, R., & Pras, A. (2012). Towards periodicity based anomaly detection in SCADA networks. Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012), 1–4.  Matthew E. Luallen(2013, Dec. 2). SANS SCADA and Process Control Security Survey [Online]. Available: https://www.sans.org/reading- room/analysts-program/sans-survey-scada-2013https://www.sans.org/reading- room/analysts-program/sans-survey-scada-2013  Carcano, A., Fovino, I. N., & Masera, M. (2010, July). Modbus/DNP3 state-based filtering system. In Industrial Electronics (ISIE), 2010 IEEE International Symposium on (pp. 231-236). IEEE