Presentation on theme: "Dissertation (Phase II)"— Presentation transcript:
1 Dissertation (Phase II) Dissertation (Phase – 2) Presentation On:Detecting Network Attack Vectors OnSCADA Specific Network Operating OnModbus TCP/IP ProtocolPREPARED BY:Neel H. PathakGTU ITSNS[ ]GUIDED BY:Prof. H. B. PatelAsst. Professor atLCIT, BHANDU
2 Outline Introduction Literature Survey Proposed Solution What, How, Why and Where of SCADA Systems?Problem DescriptionBackground and Reason to choose such Topic (Motivation)Objectives and Scope of WorkLiterature SurveyIssuesModbus ProtocolModbus Protocol StructureVulnerability in Modbus TCP/IPC-I-A and Related StudyProposed SolutionProposed Solution Flow DiagramFunctional DescriptionHow my proposed solution is different from others?Implementation DetailsDesigning of NetworkNetwork Diagram(Internal & External)Comparison, Analysis and Testing ResultsComparison with popular NIDSConclusion and References
3 Introduction: WHAT are SCADA systems? Supervisionary Control and Data Acquisition (SCADA) systems are used for automation purposes in Chemical Plants, Oil and Gas plants, Power stations, Water Distribution etc.A part of ICS (Industrial Control Systems) and Different form DCS (Distributed Control System)Combination of Telemetry and Data Acquisition Often a misunderstood term
4 HOW SCADA system communicates? Third generation SCADA systems consists of the following components .Field Instrumentation(Sensors and Actuators)Remote Stations (RTU`s or PLC`s)Communications Network( Ethernet, radio or Leased Line)Central monitoring station.( HMI/MMI )Figure adopted from SCADA Primer 
5 Typical SCADA system. Figure adopted from SCADA Primer 
6 Current SCADA systems. Figure adopted from “Defcon 2011” 
8 SCADA System categories SCADA systems can be broadly classified into three categories/generations .MonolithicIndependent stand-alone systems.This is what EC engineers refers to.2. DistributedConnected in LAN for real-timeinformation sharingNetworkedConnected with other networks and theInternet. This is what we refer to.
9 Problem DescriptionSCADA systems were not designed keeping security in mind. Analogy security, Functionality and ease of use triangle.Bears more importance then other Information Systems.Legacy Protocols like Modbus is now wrapped with TCP/IP functionality. Modern SCADA systems are connected to network of the networks i.e. INTERNET.Little tampering to such systems can even cause LOSS OF LIFE and other casualties.Do you remember the Al-Queda Attack ? And the recent STUXNET worm?
10 Problem DescriptionMuch research has been carried out to detect network attacks from external networks, but what about the network attacks which takes place within the secured periphery of such systems?Such attacks (called as “insider attacks”) are also of paramount importance to be thought of.
11 Problem DescriptionSurvey conducted by SANS Institute in Feb. 2013
12 Background And Motivation SCADA systems being Critical Infrastructure Systems are of prime target.Cyber terrorists, hackers and state sponsored attacks by professionals.Al-Queda Attack  , Siberian Pipeline Explosion  , Iran`s Nuclear Plant (STUXNET) worm , Common Wealth Games (CWG)  and many such attacks.MotivationDesigned to be fail safe systems , no security in mind at that time.Critical Infrastructure systems, if able to detect network attacks then to much extend casualties can be prevented and will be better for society as whole.
14 Literature Survey: HOW SCADA Systems are different ? Business IT Systems/ IT SystemsSCADA SystemsNot real-timeReal-time basisCorrectness of InformationResponse time is criticalDelay AllowedBig problem by delayData integrity is importantUser`s security is importantTask loss by data corruptionHuge economic loss or casualtiesRestoration by rebootingContinuous operation required.Table adopted from 
15 Literature Survey: Issues to consider in SCADA system  How to Audit and What to Audit?Patching the SCADA systems are not so easyKnowledge gap between SCADA personnel and IT engineers.
16 Modbus TCP/IP Protocol and its Structure . Modbus SuiteDeveloped in 1979 by Modicon.Free and Open Source and widely used.Modbus protocol suite popularly used in Oil and Gas  sectors. This suite is further broken into two main versions.Modbus SerialModbus TCPEach protocol provides functionality of unicast and multicast
17 Figure adopted from “Defcon“ 2011 Modbus ProtocolFn Code : 1 – 127, Data: Sub-fn codes and Instruction for registers to read/write, Error Check : Uses CRCFigure adopted from “Defcon“ 2011
18 Modbus TCP frame structure (figure from ) Modbus TCP ProtocolModbus TCP frame structure (figure from )
19 Figure adopted from modbus.org [Dt. 29/11/2013] Function And Sub-Function CodesFigure adopted from modbus.org [Dt. 29/11/2013]
20 Figure of Modbus TCP/IP Communication Stack (from ) Modbus TCP Protocol Comm. StackFigure of Modbus TCP/IP Communication Stack (from )
21 Figure of Simple Modbus TCP/IP Packet Captured From Wireshark
22 Modbus TCP/IP Protocol Vulnerabilities Lack of Authentication. So, no way to find who sent Modbus Packet.No way to measure the integrity of Modbus TCP/IP protocol.Un-encrypted CommunicationMoreover, the content was seen within protocol in plain hex.
23 Typical Business systems deal with CIA Triad, Confidentiality has less impactConfidentialityIntegrityAvailabilityTypical Business systems deal withC-I-A triad but in SCADA systemsI-A-C triad .
24 Typical attack scenario Figure adopted from IEEE Conference, Mumbai 19th OCT 
25 HOW security posture of SCADA network can be improved ? Improvement in ProtocolFollow defense in depth for securing SCADA networkStable standardsIntrusion detection system which detects network attacks efficiently.
26 Accurate Modeling of Modbus TCP/IP for Intrusion Detection in SCADA Systems, (Jan, 2013). Tel Aviv University. [Paper -1]Functional Description:Based on the fact that Modbus Traffic to and from HMI-PLC is highly periodic.Author has modeled each HMI-PLC channel by its unique characteristics. NIDS is based on anomaly based detection method.Sensitive in nature.Towards Periodicity Based Anomaly Detection in SCADA Networks  (IEEE, 2012) [Paper - 2]Functional Description:Intrusion detection is based on the fact that the traffic is between HMI-PLC is highly periodic due to polling mechanism.Proposed an approach that exploits traffic periodicity to detect anomalies, which represents potential intrusion attempts.
27 HMI-PLC1 Network Traffic Graph (Packets Vs Time)
28 Cons: PAPER-1 and PAPER-2 Both the papers are based only on polled communication mechanism of HMI-PLC SCADA System. What if interrupt based SCADA system is used?Paper-1 Models every HMI-PLC channels traffic and proposes anomaly based detection NIDS. But, we know that in anomaly based NIDS there is high possibility of FALSE POSITIVE.As the anomaly behaviour is solely based on the traffic periodicity then any attacker following traffic periodicity may inject malicious communication Modbus packets.
29 Modbus/DNP3 State-Based Filtering System(IEEE, 2010)[PAPER-4] On SCADA Control System Command and Response Injection and Intrusion Detection  (IEEE, 2012) [PAPER-3]Functional Description:A set of command injection, Data injection and Denial of service attacks are used as features of attack traffic to train Intrusion Detection System forming a neural network.Normal traffic is collected to establish a baseline and detect an anomaly.CONS:Few type of attacks are used to check its effectiveness.Modbus/DNP3 State-Based Filtering System(IEEE, 2010)[PAPER-4]Functional Description:System aims to detect attacks composed of set of “SCADA” commands.Proposed IDS can detect complex attacks based on “to be” state of system.Ex. of critical state: PLC1.C23 = 0 and PLC2.C17 -> ALERT
31 Proposed SolutionHere, we propose an efficient solution to detect network attacks both within internal periphery and from external network which will make use of Sequencing and Directional Analysis (SADA) Module, Deep Packet Analysis and White Listing Module (DPAWM).It is basically divided into five phases, they are as follows:Capture raw network traffic.Filtering SCADA specific traffic.SCADA protocol Analyzer.Analysis of captured traffic (three modules SADA, DPAWM and CSDM)Notification generation and Alerting
33 How my proposed solution is different? My proposed solution has a layered approach to detect network attacks/Intrusions in SCADA network. WHY???Proposed solution make use of WHITELIST signature BASED NIDS. WHY???Identified more then 20 (22 to be precise) whitelist signatures for Attack Detection.Deep packet analysis is done ( Thanks to SCAPY ). So, it prevents TCP VETO attack.Based on my research proposed NIDS may also be used for commercial purpose as well.
34 Experiments: DENIAL-OF-SERVICE ATTACK REPLAY-ATTACKPrimary Application: Modbus Poll Master fromWorks on Modbus TCP/IP protocol.freeware application used to understand the working of Modbus TCP/IP protocol.Built with Modbus TCP/IP specification.Utilities used to perform experiment: Modbus Poll Master, Modbus Slave, Wireshark, VM Ware Workstation, Colasoft Packet Builder, Playcap and packit.DENIAL-OF-SERVICE ATTACKExperiment was done to check denial of service attack from the tool modscan available at
35 UTILITY/TOOL/Hardware Implementation Details:Implementation Environment:UTILITY/TOOL/HardwareDESCRIPTIONModscan, PlayCap, Tcp-replay, Packit and Cola Soft Packet BuilerTo generate attack scenarioWIRESHARK and TCPDUMPFor Packet analysis and to collect Whitelist signatures.Modbus Poll Master and Modbus SlaveApplication that works on Modbus TCP/IP to study its behaviorOracle`s Virtual BoxFor emulating real network.Bash, Python and SCAPY 2.1.0Python language to implement Taylor Made NIDS and SCAPY for packet sniffing and manipulation.BeagleBone BlackHardware to implement all modules and testing if feasible.
48 SCADA Protocol Analyzer (PSEUDO CODE) Result=0 [Result Flag to Check Condition at last]pkts = sniff(count=500) [Sniffing all the 500 real time packets in PROMISCOUS Mode]protocol_analyser(pkts): [Protocol analyzer module]proto_legitimate = 0Looping through each and every packet on real time.proto_legitimate=0 [Flag to check legitimate protocol]Compare each and every packet with predefined condition.If any condition fails, then proto_legitimate=1If proto_legitimate == 1 [That means that protocol is not crafted properly]LOG that packet to Blacklisting Signature Database,Result = Result + 1Raise an ALERT
49 If Result > 0do not process further modulesexitelse:process further modules
50 SCADA Protocol Analyzer Snapshot of Anomalies Found for Malicious Modbus Packet
51 Sequencing And Directional Analysis Module Researchers have found that Modbus TCP/IP traffic is highly periodic and predictable in nature but, if we look at the traffic we can come to know that not only traffic is highly periodic but also SEQUENCE OF PACKETS for communication is also highly predictable.This nature of predictable sequence of HMI-PLC communication is modelled into SADA module.So, we look for IP address along with its MAC address and TCP Seq and ACK numbers to check sequence.
54 Deep Packet analysis and Whitelisting Module (DPAWM) We have Identified more than 20 (22 to be precise) parameters that forms whitelist signature. Currently 2 among 7 whitelist signatures are modelled.Total 22 parameters major among them are:Slave IDTCP Flags PSH/URGTransaction IDLength of Frame and Modbus PacketFunction CodesWord Count and Byte CountAnd most importantly Modbus Data field (Most imp. parameter)
55 Critical State Distance Module and Tunable Parameters Work done in  is used to calculate Critical State Distance for early Critical State Detection.An xml file is used for tuneable parameters such that one can change the data parameters to monitor.
56 Comparison, Analysis and Testing Results In order to measure the effectiveness of our proposed solution, we have considered many parameters and compared it with the “nearly” existing system.The term “nearly” is used because no such solution till date has been proposed which deeply checks for Modbus TCP/IP protocol with whitelist signatures.We have used a very popular NIDS for our comparison, THE SNORT NIDS.
62 Comparison with other parameters SNORTOUR PROPOSED NIDSInstallation/DeploymentMediumVery EasyNew Attack DetectionNo (until sig. updated)YesConfiguration LevelEasy (Just one xml file)Packets Loss302549Crafted Packet DetectionNoIntegration with other H/WMedium (requires good processing power)Easy
63 ConclusionSecurity in/for SCADA system/network shall be pro-active in nature rather then reactiveBesides considering the network attacks from external network, one must also consider attacks within secured periphery of these controlled system.Considering such issues we have proposed an innovative and hybrid approach to detect network attacks thereby designing a practical NIDS.We have successfully validated our approach by implementing certain attack vectors to detect odds in SCADA network.
64 Conclusion (conti..)We have tested our proposed mechanism in specific scenario and are satisfied with the results as they were as expected. However, we have not tested our proposed mechanism in real environment.
65 References A. Robert (2013, Oct. 5). SCADA Primer [online] Available: G. Thomson(2013, Oct. 5). Cyber-Attacks by Al Qaeda Feared [online] Available: Miller, B., & Rowe, D. A survey SCADA of and critical infrastructure incidents, 2012. Zia Saquib, IEEE SCADA conference, Mumbai 19 Oct Rosslin R and Min-Kyu Choi, “Assessment of the Vulnerabilities of SCADA, Control Systems and Critical Infrastructure Systems”, International Journal of Grid and Distributed Computing, June 2009. Kim, S. A Study on Optimization of Security Function for reducing Vulnerabilities in SCADA, 65–69.
66  Ganesh Devrajan (Oct  Ganesh Devrajan (Oct. 5th), Unraveling SCADA Protocols: Using Sulley Fuzzer. Defcon 2011 [online] Available: V. M. Igure, S. A. Laughter and R. D. Williams. Security issues in SCADA networks. Computer Security 25(7); pp Hayes, G., & El-khatib, K. Securing Modbus Transactions Using Hash-Based Message Authentication Codes and Stream Transmission Control Protocol, 179– Kang, D., Lee, J., Researcher, S., Kim, S., & Park, J. (2009). Analysis on Cyber Threats to SCADA systems, 1–4. Zhu, B., Joseph, A., & Sastry, S. (2011). A Taxonomy of Cyber Attacks on SCADA Systems International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, 380–388 Bagaria, S., Prabhakar, S. B., & Saquib, Z. (2011). Flexi-DNP3: Flexible distributed network protocol version 3 (DNP3) for SCADA security International Conference on Recent Trends in Information Systems, 3, 293–296.
67  Urias, V. , Van Leeuwen, B. , & Richardson, B. (2012)  Urias, V., Van Leeuwen, B., & Richardson, B. (2012). Supervisory Command and Data Acquisition (SCADA) system cyber security analysis using a live, virtual, and constructive (LVC) testbed. MILCOM IEEE Military Communications Conference, (Lvc), 1–8. Li, G.-W., Ju, W.-Y., & Shi, D.-Y. (2012). Functional Vulnerability Assessment of SCADA Network Asia-Pacific Power and Energy Engineering Conference, 1–4. Byres, E. J., Franz, M., & Miller, D. The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems. Kim, S. A Study on Optimization of Security Function for reducing Vulnerabilities in SCADA, 65–69. Rautmare, S. (2013). SCADA System Security. Bureau Of Indian Standards [online] Available: Carcano, A., Nai Fovino, I., & Masera, M. (2010). Modbus/DNP3 state-based filtering system IEEE International Symposium on Industrial Electronics, 231–236. Morris, T., Reaves, B., & Richey, D. (2012). On SCADA control system command and response injection and intrusion detection eCrime Researchers Summit, 1–9.
68  Verba, J. , Box, P. O. , & Falls, I. (2008)  Verba, J., Box, P. O., & Falls, I. (2008). Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System ( SCADA IDS ), (208). Barbosa, R. R. R., Sadre, R., & Pras, A. (2012). Towards periodicity based anomaly detection in SCADA networks. Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012), 1–4. Matthew E. Luallen(2013, Dec. 2). SANS SCADA andProcess Control Security Survey [Online]. Available: Carcano, A., Fovino, I. N., & Masera, M. (2010, July). Modbus/DNP3 state-based filtering system. In Industrial Electronics (ISIE), 2010 IEEE International Symposium on (pp ). IEEE