Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Security Perimeter Is this system air-gapped? No. But… it’s fiber optic. we own the network. we own the wireless network.

Published byAshlyn Glenn Modified over 8 years ago

Similar presentations

Presentation on theme: "Electronic Security Perimeter Is this system air-gapped? No. But… it’s fiber optic. we own the network. we own the wireless network."— Presentation transcript:

1

2 Electronic Security Perimeter Is this system air-gapped? No. But… it’s fiber optic. we own the network. we own the wireless network.

3 Electronic Security Perimeter Is this system air gapped? What is this? Leased line from phone company? Does the utility sell BW to 3 rd parties? No.

4 Common configuration DMZ Enterprise Network Control Room Outstation WWW

5 Can malware infect the control room or outstation? DMZ Enterprise Network Control Room Outstation WWW Yes

6 Can malware infect the control room or outstation? DMZ Enterprise Network Control Room Outstation WWW Yes

7 What about serial? RS-232/485 Stuxnet

8 Take aways  Industrial control system networks are not commonly air gapped, though the control system engineers may think it is.  Industrial control systems can be infected by malware.  Electronic security perimeter alone is insufficient.  Need a defense in depth approach.

9 Network Intrusion Detection for Industrial Control Systems  Physical Wireless IDS Not much at this level  Network, Transport Detect well known attacks ○ Tear drop, LAND, port scanning, Ping Common protocol rules ○ TCP, IP, UDP, ICMP  Application Layer Detect protocol mutations Detect protocol specific DOS attacks Model Based IDS to detect system level attacks ○ measurement injection ○ command injection ○ system state steering Physical Data Link Network Transport Application

10 MSUTommy Morris Relay CT Transmission Line Network Short circuit Router Relay tripped

11 Causal Network Graphs for Intrusion Detection  Map power system scenarios to a graph with Nodes representing a set of time ordered measureable events Multiple existing sources of data Unique path through graph for each scenario  Classify events real time

12 Causal Network Graphs for Intrusion Detection – Case Study  Power system events Over current fault – high current -> open breaker Remote trip – operator remotely opens breaker for maintenance Local trip at face plate – technician trips relay at the face plate  Cyber Events - threats command injection attack to remotely trip the relay man-in-the-middle (MITM) attack on synchrophasor system (I=0) man-in-the-middle (MITM) attack on synchrophasor system (I>I trip )

13 Measureable Events  Relay breaker status  Energy Management System (EMS) Command from EMS to remote trip  Synchrophasor system measurements current measurements (60 samples per second)  Snort network signatures detect network message to trip the relay

14 Bayesian Network Graph -> Causal Event Graph PMU@T1 Relay PMU@T2 SnortEMS I H, Sn, RT I N, Sn, RT I H, Sn, RT Breaker open Breaker closed ININ I0I0 IHIH I H, Sn, RT fault command injection remote trip MITM I PMU >I Trip

15 Causal Event Graph Signatures I H, Sn, RT Breaker open I0I0 1) Fault I N, Sn, RT Breaker open I0I0 2) Command Injection I N, Sn, RT Breaker open I0I0 3) Scheduled Trip I 0, Sn, RT Breaker closed I0I0 4) MITM Attack I=0 I H, Sn, RT Breaker closed IHIH 5) MITM Attack I>I Trip I N, Sn, RT Breaker open I0I0 6) Local Trip time Hand mapped the signatures to a custom intrusion detection program.

16 Laboratory Validation – proof of concept B1B2 R1R2G1 BR1 BR2 L L1 Attack Detection Program EMS logsSnortRelay logs Synchrophasor Measurements RTDS Simulation Implemented each scenario Data loggers to capture measurements Offline intrusion detection program Successful classification of all scenarios

17 Future Work Causal Event Graphs  Scale to more realistic systems Breaker and half Relay coordination Expanded relaying scheme support  Real time IDS  Move from Boolean to probabilistic IDS  Automate graph to IDS signatures  Measure accuracy and computational cost

18 EMS PDC Historian Eng’g Analysis PMU PDC PMU Transmission Line Network PMU PDC PMU *not shown (the 3 circuits above are part of an interconnection).

19 Syncrophasor System Equipment  Phasor Measurement Unit (PMU) Synchronized phasor measurements 1uS synchronization, IEEE 1588, GPS 3-phase voltage phasors, current phasor  Phasor Data Concentrator (PDC) Concentrate PMU streams Detect missing data Interpolate for missing data  IEEE C37.118 -> IEC 61850 90-5

20 Snort Rules for Synchrophasor Systems  Synchrophasor systems being installed across country by utilities with ARRA grants Improved electric grid visibility ○ Detect disturbances sooner Wide area protection ○ React to disturbances quickly to limit outage IEEE C37.118 - Synchrophasor Network Protocol  Need to develop Snort rules to Protect against IEEE C37.118 protocol mutation type attacks Detect reconnaissance, DOS, command injection, and measurement injection attacks

21 Snort Rules for Synchrophasor Systems – Protocol Mutation 2Frame Type Check Stand-aloneSYNC[0]{6:4} != (0, 1, 2, 3, 4) 10Polar RangeMulti- packet ConfigFrame: (FORMAT[0]{1} == 0 && FORMAT[0]{0} == 1) && DataFrame: (PHASORS[0:1] (Polar angle) > 31,416) || (PHASORS[0:1] (Polar angle) < -31,416) 11Data Frame size check Multi- packet EXPECTED FRAMESIZE != ACTUAL FRAMESIZE Simple check – is this a legal frame? Does the polar range in the data frame match the description in the configuration frame? Does the frame size match the frame size calculated from examing the configuration frame?

22 Retrofit SNORT Intrusion Detection for Industrial Control Systems MTU pump relief pipeline RTU control logic Set Point System Mode Control Scheme Pump Override Relief Override PID Setpoint PID Gain PID Reset PID Rate PID DB PID CT Output Pump State Relief State Pressure tap Detect Attacks Command Injection Measurement Injection Reconnaissance Denial of Service Snort

23 Snort Protocol Rules for MODBUS  Reviewed specification and developed a fuzzing framework.  Using fuzzing framework to guide rule development. ○ Rules for specific frame types ○ Function codes in frames define payload contents ○ Rules based upon relationships between frames query and response must match ○ Response special cases – exception frames match defined exceptions to query function code and error types

24 Cybersecurity Testing and Risk Assessment for Industrial Control Systems Denial of Service Known attacks High volume traffic Protocol mutation Device Security Assessment Security features Standards conformance Port scan Vulnerability scan Confidentiality, Integrity Password confidentiality Password storage Man-in-the- middle Many vulnerabilities identified and communicated to vendor and project partner. All addressed Firmware fixes New security features System architecture changes

25 Identify vulnerabilities, implement attacks, investigate impact on physical systems. Develop security solutions; system protection, intrusion detection, attack resilience Train engineers and scientists for control systems security careers. Cyber Security Industrial Control Systems Critical Infrastructure Protection Center

26 Read Sprabery BS CPE Power System Cybersecurity Drew Richey MS ECE Ladder logic to Snort Rules Uttam Adhikari PHD ECE Power System Cybersecurity Wei Gao PHD ECE SCADA Intrusion Detection Shengyi Pan PHD ECE Power System Cybersecurity Tommy Morris Asst. Prof. Director, CIPC Industrial Control System Security David Mudd MS ECE SCADA Virtual Test Bed Quintin Grice MS ECE Relay Settings Automation Joseph Johnson BS EE Control Systems Lalita Neti MS ECE Relay Settings Automation

Download ppt "Electronic Security Perimeter Is this system air-gapped? No. But… it’s fiber optic. we own the network. we own the wireless network."

Similar presentations

Central Research Institute of Electric Power Industry D2-01_24 Prototype and Evaluation of Communication Network for a WAMPAC System Based on International.

Central Research Institute of Electric Power Industry D2-01_24 Prototype and Evaluation of Communication Network for a WAMPAC System Based on International.
Cyber Security Considerations for Electric Power Systems.

Cyber Security Considerations for Electric Power Systems.
Multi Functional Digital Fault Recorder

Multi Functional Digital Fault Recorder
Team Dec13_11: Cole Hoven Jared Pixley Derek Reiser Rick Sutton Adviser/Client: Prof. Manimaran Govindarasu Graduate Assistant: Aditya Ashok PowerCyber.

Team Dec13_11: Cole Hoven Jared Pixley Derek Reiser Rick Sutton Adviser/Client: Prof. Manimaran Govindarasu Graduate Assistant: Aditya Ashok PowerCyber.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Applying Wireless in Legacy Systems

Applying Wireless in Legacy Systems
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Greenbench: A Benchmark for Observing Power Grid Vulnerability Under Data-Centric Threats Mingkui Wei, Wenye Wang Department of Electrical and Computer.

Greenbench: A Benchmark for Observing Power Grid Vulnerability Under Data-Centric Threats Mingkui Wei, Wenye Wang Department of Electrical and Computer.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.
IP Network Basics. For Internal Use Only ▲ Internal Use Only ▲ Course Objectives Grasp the basic knowledge of network Understand network evolution history.

IP Network Basics. For Internal Use Only ▲ Internal Use Only ▲ Course Objectives Grasp the basic knowledge of network Understand network evolution history.
G650 Generator Protection & Control System

G650 Generator Protection & Control System
GridWise ® Architecture Council Cyber-Physical System Requirements for Transactive Energy Systems Shawn A. Chandler Maseeh College of Electrical and Computer.

GridWise ® Architecture Council Cyber-Physical System Requirements for Transactive Energy Systems Shawn A. Chandler Maseeh College of Electrical and Computer.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.
Cyber Security of Smart Grid Systems

Cyber Security of Smart Grid Systems
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Similar presentations

Ads by Google