Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dissertation (Phase II)

Similar presentations

Presentation on theme: "Dissertation (Phase II)"— Presentation transcript:

1 Dissertation (Phase II)
Dissertation (Phase – 2) Presentation On: Detecting Network Attack Vectors On SCADA Specific Network Operating On Modbus TCP/IP Protocol PREPARED BY: Neel H. Pathak GTU ITSNS [ ] GUIDED BY: Prof. H. B. Patel Asst. Professor at LCIT, BHANDU

2 Outline Introduction Literature Survey Proposed Solution
What, How, Why and Where of SCADA Systems? Problem Description Background and Reason to choose such Topic (Motivation) Objectives and Scope of Work Literature Survey Issues Modbus Protocol Modbus Protocol Structure Vulnerability in Modbus TCP/IP C-I-A and Related Study Proposed Solution Proposed Solution Flow Diagram Functional Description How my proposed solution is different from others? Implementation Details Designing of Network Network Diagram(Internal & External) Comparison, Analysis and Testing Results Comparison with popular NIDS Conclusion and References

3 Introduction: WHAT are SCADA systems?
Supervisionary Control and Data Acquisition (SCADA) systems are used for automation purposes in Chemical Plants, Oil and Gas plants, Power stations, Water Distribution etc. A part of ICS (Industrial Control Systems) and Different form DCS (Distributed Control System) Combination of Telemetry and Data Acquisition [1] Often a misunderstood term

4 HOW SCADA system communicates?
Third generation SCADA systems consists of the following components [1]. Field Instrumentation (Sensors and Actuators) Remote Stations (RTU`s or PLC`s) Communications Network ( Ethernet, radio or Leased Line) Central monitoring station. ( HMI/MMI ) Figure adopted from SCADA Primer [1]

5 Typical SCADA system. Figure adopted from SCADA Primer [1]

6 Current SCADA systems. Figure adopted from “Defcon 2011” [7]

7 WHERE SCADA Systems are used?

8 SCADA System categories
SCADA systems can be broadly classified into three categories/generations [6]. Monolithic Independent stand-alone systems. This is what EC engineers refers to. 2. Distributed Connected in LAN for real-time information sharing Networked Connected with other networks and the Internet. This is what we refer to.

9 Problem Description SCADA systems were not designed keeping security in mind. Analogy security, Functionality and ease of use triangle. Bears more importance then other Information Systems. Legacy Protocols like Modbus is now wrapped with TCP/IP functionality. Modern SCADA systems are connected to network of the networks i.e. INTERNET. Little tampering to such systems can even cause LOSS OF LIFE and other casualties. Do you remember the Al-Queda Attack ? And the recent STUXNET worm?

10 Problem Description Much research has been carried out to detect network attacks from external networks, but what about the network attacks which takes place within the secured periphery of such systems? Such attacks (called as “insider attacks”) are also of paramount importance to be thought of.

11 Problem Description Survey conducted by SANS Institute in Feb. 2013

12 Background And Motivation
SCADA systems being Critical Infrastructure Systems are of prime target. Cyber terrorists, hackers and state sponsored attacks by professionals. Al-Queda Attack [2] , Siberian Pipeline Explosion [3] , Iran`s Nuclear Plant (STUXNET) worm [3], Common Wealth Games (CWG) [4] and many such attacks. Motivation Designed to be fail safe systems [5], no security in mind at that time. Critical Infrastructure systems, if able to detect network attacks then to much extend casualties can be prevented and will be better for society as whole.

13 Aim, Objectives and Scope of work

14 Literature Survey: HOW SCADA Systems are different ?
Business IT Systems/ IT Systems SCADA Systems Not real-time Real-time basis Correctness of Information Response time is critical Delay Allowed Big problem by delay Data integrity is important User`s security is important Task loss by data corruption Huge economic loss or casualties Restoration by rebooting Continuous operation required. Table adopted from [10]

15 Literature Survey: Issues to consider in SCADA system [11]
How to Audit and What to Audit? Patching the SCADA systems are not so easy Knowledge gap between SCADA personnel and IT engineers.

16 Modbus TCP/IP Protocol and its Structure [9].
Modbus Suite Developed in 1979 by Modicon. Free and Open Source and widely used. Modbus protocol suite popularly used in Oil and Gas [8] sectors. This suite is further broken into two main versions. Modbus Serial Modbus TCP Each protocol provides functionality of unicast and multicast

17 Figure adopted from “Defcon“ 2011
Modbus Protocol Fn Code : 1 – 127, Data: Sub-fn codes and Instruction for registers to read/write, Error Check : Uses CRC Figure adopted from “Defcon“ 2011

18 Modbus TCP frame structure (figure from [9])
Modbus TCP Protocol Modbus TCP frame structure (figure from [9])

19 Figure adopted from [Dt. 29/11/2013]
Function And Sub-Function Codes Figure adopted from [Dt. 29/11/2013]

20 Figure of Modbus TCP/IP Communication Stack (from [9])
Modbus TCP Protocol Comm. Stack Figure of Modbus TCP/IP Communication Stack (from [9])

21 Figure of Simple Modbus TCP/IP Packet Captured From Wireshark

22 Modbus TCP/IP Protocol Vulnerabilities
Lack of Authentication. So, no way to find who sent Modbus Packet. No way to measure the integrity of Modbus TCP/IP protocol. Un-encrypted Communication Moreover, the content was seen within protocol in plain hex.

23 Typical Business systems deal with
CIA Triad, Confidentiality has less impact Confidentiality Integrity Availability Typical Business systems deal with C-I-A triad but in SCADA systems I-A-C triad [11].

24 Typical attack scenario
Figure adopted from IEEE Conference, Mumbai 19th OCT [13]

25 HOW security posture of SCADA network can be improved ?
Improvement in Protocol Follow defense in depth for securing SCADA network Stable standards Intrusion detection system which detects network attacks efficiently.

26 Accurate Modeling of Modbus TCP/IP for Intrusion Detection in SCADA Systems, (Jan, 2013). Tel Aviv University. [Paper -1] Functional Description: Based on the fact that Modbus Traffic to and from HMI-PLC is highly periodic. Author has modeled each HMI-PLC channel by its unique characteristics. NIDS is based on anomaly based detection method. Sensitive in nature. Towards Periodicity Based Anomaly Detection in SCADA Networks [24] (IEEE, 2012) [Paper - 2] Functional Description: Intrusion detection is based on the fact that the traffic is between HMI-PLC is highly periodic due to polling mechanism. Proposed an approach that exploits traffic periodicity to detect anomalies, which represents potential intrusion attempts.

27 HMI-PLC1 Network Traffic Graph (Packets Vs Time)

28 Cons: PAPER-1 and PAPER-2
Both the papers are based only on polled communication mechanism of HMI-PLC SCADA System. What if interrupt based SCADA system is used? Paper-1 Models every HMI-PLC channels traffic and proposes anomaly based detection NIDS. But, we know that in anomaly based NIDS there is high possibility of FALSE POSITIVE. As the anomaly behaviour is solely based on the traffic periodicity then any attacker following traffic periodicity may inject malicious communication Modbus packets.

29 Modbus/DNP3 State-Based Filtering System[21](IEEE, 2010)[PAPER-4]
On SCADA Control System Command and Response Injection and Intrusion Detection [22] (IEEE, 2012) [PAPER-3] Functional Description: A set of command injection, Data injection and Denial of service attacks are used as features of attack traffic to train Intrusion Detection System forming a neural network. Normal traffic is collected to establish a baseline and detect an anomaly. CONS: Few type of attacks are used to check its effectiveness. Modbus/DNP3 State-Based Filtering System[21](IEEE, 2010)[PAPER-4] Functional Description: System aims to detect attacks composed of set of “SCADA” commands. Proposed IDS can detect complex attacks based on “to be” state of system. Ex. of critical state: PLC1.C23 = 0 and PLC2.C17 -> ALERT


31 Proposed Solution Here, we propose an efficient solution to detect network attacks both within internal periphery and from external network which will make use of Sequencing and Directional Analysis (SADA) Module, Deep Packet Analysis and White Listing Module (DPAWM). It is basically divided into five phases, they are as follows: Capture raw network traffic. Filtering SCADA specific traffic. SCADA protocol Analyzer. Analysis of captured traffic (three modules SADA, DPAWM and CSDM) Notification generation and Alerting


33 How my proposed solution is different?
My proposed solution has a layered approach to detect network attacks/Intrusions in SCADA network. WHY??? Proposed solution make use of WHITELIST signature BASED NIDS. WHY??? Identified more then 20 (22 to be precise) whitelist signatures for Attack Detection. Deep packet analysis is done ( Thanks to SCAPY ). So, it prevents TCP VETO attack. Based on my research proposed NIDS may also be used for commercial purpose as well.

REPLAY-ATTACK Primary Application: Modbus Poll Master from Works on Modbus TCP/IP protocol. freeware application used to understand the working of Modbus TCP/IP protocol. Built with Modbus TCP/IP specification. Utilities used to perform experiment: Modbus Poll Master, Modbus Slave, Wireshark, VM Ware Workstation, Colasoft Packet Builder, Playcap and packit. DENIAL-OF-SERVICE ATTACK Experiment was done to check denial of service attack from the tool modscan available at

35 UTILITY/TOOL/Hardware
Implementation Details: Implementation Environment: UTILITY/TOOL/Hardware DESCRIPTION Modscan, PlayCap, Tcp-replay, Packit and Cola Soft Packet Builer To generate attack scenario WIRESHARK and TCPDUMP For Packet analysis and to collect Whitelist signatures. Modbus Poll Master and Modbus Slave Application that works on Modbus TCP/IP to study its behavior Oracle`s Virtual Box For emulating real network. Bash, Python and SCAPY 2.1.0 Python language to implement Taylor Made NIDS and SCAPY for packet sniffing and manipulation. BeagleBone Black Hardware to implement all modules and testing if feasible.

36 Network Design (External and Internal)

37 Static Interfaces for Gateway Firewall
External Internal

38 ARP-Static binding to prevent MITM
Static ARP Binding at Gateway Firewall

39 SCADA Internal Network Scenario

40 Modbus Poll (HMI-PLC1 and HMI-PLC2)


42 Web-based One Click Gateway Firewall






48 SCADA Protocol Analyzer (PSEUDO CODE)
Result=0 [Result Flag to Check Condition at last] pkts = sniff(count=500) [Sniffing all the 500 real time packets in PROMISCOUS Mode] protocol_analyser(pkts): [Protocol analyzer module] proto_legitimate = 0 Looping through each and every packet on real time. proto_legitimate=0 [Flag to check legitimate protocol] Compare each and every packet with predefined condition. If any condition fails, then proto_legitimate=1 If proto_legitimate == 1 [That means that protocol is not crafted properly] LOG that packet to Blacklisting Signature Database, Result = Result + 1 Raise an ALERT

49 If Result > 0 do not process further modules exit else: process further modules

50 SCADA Protocol Analyzer
Snapshot of Anomalies Found for Malicious Modbus Packet

51 Sequencing And Directional Analysis Module
Researchers have found that Modbus TCP/IP traffic is highly periodic and predictable in nature but, if we look at the traffic we can come to know that not only traffic is highly periodic but also SEQUENCE OF PACKETS for communication is also highly predictable. This nature of predictable sequence of HMI-PLC communication is modelled into SADA module. So, we look for IP address along with its MAC address and TCP Seq and ACK numbers to check sequence.

52 HMI-PLC1 Sequence Analysis


54 Deep Packet analysis and Whitelisting Module (DPAWM)
We have Identified more than 20 (22 to be precise) parameters that forms whitelist signature. Currently 2 among 7 whitelist signatures are modelled. Total 22 parameters major among them are: Slave ID TCP Flags PSH/URG Transaction ID Length of Frame and Modbus Packet Function Codes Word Count and Byte Count And most importantly Modbus Data field (Most imp. parameter)

55 Critical State Distance Module and Tunable Parameters
Work done in [26] is used to calculate Critical State Distance for early Critical State Detection. An xml file is used for tuneable parameters such that one can change the data parameters to monitor.

56 Comparison, Analysis and Testing Results
In order to measure the effectiveness of our proposed solution, we have considered many parameters and compared it with the “nearly” existing system. The term “nearly” is used because no such solution till date has been proposed which deeply checks for Modbus TCP/IP protocol with whitelist signatures. We have used a very popular NIDS for our comparison, THE SNORT NIDS.

57 Performance w.r.t CPU resource utilization


59 Performance graph (gnuplot+atop)

60 Consideration of other important factors
0-day Detection TCP VETO DETECTION (Probable) Deep Packet Analysis Check (also includes Physical + Datalink layer) False –ves and False +ves BITW?? (Update-rc.d -f +/etc/init.d/ + .conf files + bootup manager) Early detection

Packet level comparison between SNORT and Our Proposed Solution Ubuntu LTS, 32 bit, 3.7 GB RAM & Core i3 253Ghz x4 Modbus TCP/IP SNORT NIDS OUR PROPOSED NIDS Data Packets 5000 Actual Attack Packets 950 Alerts 2033 977 False +ve 1084 84 False –ve *19-*66 *13-*17 Packets Received 4696 4451 Packet Loss 302 549

62 Comparison with other parameters
SNORT OUR PROPOSED NIDS Installation/Deployment Medium Very Easy New Attack Detection No (until sig. updated) Yes Configuration Level Easy (Just one xml file) Packets Loss 302 549 Crafted Packet Detection No Integration with other H/W Medium (requires good processing power) Easy

63 Conclusion Security in/for SCADA system/network shall be pro-active in nature rather then reactive Besides considering the network attacks from external network, one must also consider attacks within secured periphery of these controlled system. Considering such issues we have proposed an innovative and hybrid approach to detect network attacks thereby designing a practical NIDS. We have successfully validated our approach by implementing certain attack vectors to detect odds in SCADA network.

64 Conclusion (conti..) We have tested our proposed mechanism in specific scenario and are satisfied with the results as they were as expected. However, we have not tested our proposed mechanism in real environment.

65 References [1] A. Robert (2013, Oct. 5). SCADA Primer [online] Available: [2] G. Thomson(2013, Oct. 5). Cyber-Attacks by Al Qaeda Feared [online] Available: [3] Miller, B., & Rowe, D. A survey SCADA of and critical infrastructure incidents, 2012. [4] Zia Saquib, IEEE SCADA conference, Mumbai 19 Oct [5] Rosslin R and Min-Kyu Choi, “Assessment of the Vulnerabilities of SCADA, Control Systems and Critical Infrastructure Systems”, International Journal of Grid and Distributed Computing, June 2009. [6] Kim, S. A Study on Optimization of Security Function for reducing Vulnerabilities in SCADA, 65–69.

66 [7] Ganesh Devrajan (Oct
[7] Ganesh Devrajan (Oct. 5th), Unraveling SCADA Protocols: Using Sulley Fuzzer. Defcon 2011 [online] Available: [8] V. M. Igure, S. A. Laughter and R. D. Williams. Security issues in SCADA networks. Computer Security 25(7); pp [9] Hayes, G., & El-khatib, K. Securing Modbus Transactions Using Hash-Based Message Authentication Codes and Stream Transmission Control Protocol, 179– [11] Kang, D., Lee, J., Researcher, S., Kim, S., & Park, J. (2009). Analysis on Cyber Threats to SCADA systems, 1–4. [12] Zhu, B., Joseph, A., & Sastry, S. (2011). A Taxonomy of Cyber Attacks on SCADA Systems International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, 380–388 [13] Bagaria, S., Prabhakar, S. B., & Saquib, Z. (2011). Flexi-DNP3: Flexible distributed network protocol version 3 (DNP3) for SCADA security International Conference on Recent Trends in Information Systems, 3, 293–296.

67 [15] Urias, V. , Van Leeuwen, B. , & Richardson, B. (2012)
[15] Urias, V., Van Leeuwen, B., & Richardson, B. (2012). Supervisory Command and Data Acquisition (SCADA) system cyber security analysis using a live, virtual, and constructive (LVC) testbed. MILCOM IEEE Military Communications Conference, (Lvc), 1–8. [16] Li, G.-W., Ju, W.-Y., & Shi, D.-Y. (2012). Functional Vulnerability Assessment of SCADA Network Asia-Pacific Power and Energy Engineering Conference, 1–4. [17] Byres, E. J., Franz, M., & Miller, D. The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems. [18] Kim, S. A Study on Optimization of Security Function for reducing Vulnerabilities in SCADA, 65–69. [19] Rautmare, S. (2013). SCADA System Security. [20] Bureau Of Indian Standards [online] Available: [21] Carcano, A., Nai Fovino, I., & Masera, M. (2010). Modbus/DNP3 state-based filtering system IEEE International Symposium on Industrial Electronics, 231–236. [22] Morris, T., Reaves, B., & Richey, D. (2012). On SCADA control system command and response injection and intrusion detection eCrime Researchers Summit, 1–9.

68 [23] Verba, J. , Box, P. O. , & Falls, I. (2008)
[23] Verba, J., Box, P. O., & Falls, I. (2008). Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System ( SCADA IDS ), (208). [24] Barbosa, R. R. R., Sadre, R., & Pras, A. (2012). Towards periodicity based anomaly detection in SCADA networks. Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012), 1–4. [25] Matthew E. Luallen(2013, Dec. 2). SANS SCADA and Process Control Security Survey [Online]. Available: [26] Carcano, A., Fovino, I. N., & Masera, M. (2010, July). Modbus/DNP3 state-based filtering system. In Industrial Electronics (ISIE), 2010 IEEE International Symposium on (pp ). IEEE

69 Thank You

Download ppt "Dissertation (Phase II)"

Similar presentations

Ads by Google