Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mike Burmester Work with W. Owen Redwood and Joshua Lawrence

Published byMelissa Banks Modified over 8 years ago

Similar presentations

Presentation on theme: "Mike Burmester Work with W. Owen Redwood and Joshua Lawrence"— Presentation transcript:

1 Mike Burmester Work with W. Owen Redwood and Joshua Lawrence
Dynamic Realtime Security Analysis of Electrical Power Systems Gathering Cyber-Physical Threat Intelligence Mike Burmester Work with W. Owen Redwood and Joshua Lawrence

2 Outline Critical Infrastructures protection
Critical infrastructure ecologies, resilience, real vs ideal world simulations Protection and control architecture for EG substations Vulns of an IEC61850 enabled EG substations, synchronized attacks Honeypots real-time situational awareness tools Cyber-Physical Systems SCADA / Critical Infrastructure Vulns & Security & state of Threat Intelligence Symbolic Cyber-Physical Honeynets Situational Awareness for SCADA / ICS

3 Critical Infrastructure Ecologies

4 Resilience: real vs ideal world simulations
Human A (ideal world adversary) controls all communication channels F (protected functionality) Cyber Physical A (real world adversary)

5 Protection and control architecture for an EG substation
IEDs I/O via fiber Bricks Ethernet connectivity to SCADA & HMI

6 Vulnerabilities of an IEC61850 enabled EG substation
Ethernet -- Substation Bus Ethernet -- Process Bus Relay Meter Merge Unit HMI Control Center Internet Remote Operator Other Substations Vulnerabilities are indicated by “ “ and involve physical/human/cyber entities. For example: the Remote Operator or their computer may be compromised, the behavior of the Relay or the Merge Unit Brick may be irregular (because of unexpected inputs), etc. Our goal is to: Analyze realtime multi-layer vulnerabilities of EG infrastructures resulting from malicious/unexpected behavior. Analyze cascading EG infrastructure faults. Identify vulnerabilities & exploits of IEC61850 substation automation systems using hardware-in-the-loop realtime testing. Develop a framework that addresses holistic integrity in realtime by enforcing trust policies and controls and by enabling security mechanisms and tools (engines). IED

7 Synchronized attack scenario top: the generator frequency during a cascading event bottom: the state of the system before & after an attack

8 EG Resilience Maintaining Functionality at Sustained Levels
output power Backup power sustained functionality level time

9 Honeypots Capture: Tool use detection tests (and sometimes fail!)
initial intrusion outbound connection initiated ... expand access and obtain credentials strengthening of foothold data exfil attempts to cover tracks diagram from

10 Honeypots Honeynet - More than one honeypot Low interaction
simulates a controlled subset of the target’s attack surface emulates common services, applications, OSes low risk High interaction utilizes real services, apps, OSs (near-real attack surface) commonly have a HMI or GUI high risk capture far more data Good, currently-maintained tools for these are RARE

11 3 Categories of Threat Intelligence
Exploitation techniques & strategies Post-exploitation techniques & strategies, and end goals (very hard to observe)

12 Cyber-Physical Systems
computational systems that monitor and control physical entities control systems sensor-based systems autonomous systems robotic systems etc...

13 Cyber-Physical Systems
Typically a network of: Remote Telemetry Units (RTUs) Programmable Logic Controllers (PLCs) Intelligent Electronic Devices (IEDs) (may be a MAC-layer “station bus” network)==> Controlled by: Supervisory Control And Data Acquisition (SCADA) system(s) Industrial Control System (ICS) system(s) Process Control System (PCS) system(s) Distributed Control System (DCS) system(s)

14 Cyber-Physical Systems (reality)
Are embedded systems, Linux VXworks Solaris custom firmware, custom OS... with some specialized additions: sensors, actuators, regulators, communication devices, and “control” processing units

15 Cyber-Physical Systems Standards, Protocols, Implementations
Standards designed by engineers FOR engineers Access to standards/documentation > $10,000 restricted access, yet expect everyone to adopt it Descriptions of protocols are open, but closed-source code is common Implementations thus differ per vendor Makes things hell for the control systems vendors

16 Tracking CPS systems on the Internet
Specialized Search engines: SHODAN - Sentient Hyper-Optimized Data Access Network ERIPP - Every Routable IP Project IRAM - Industrial Risk Assessment Map Project SHINE (early 2014): uses SHODAN to detect how many ICS systems are connected to internet EACH DAY: NEW ICS on internet PER DAY MODIFIED

17 The Industrial Risk Assessment Map https://www.scadacs.org/iram.html

18

19 CPS Vulnerabilities “forever-day” originated.
n-days typically never get patched. <==This trivializes the cost of target research. Accessible to all levels of threat

20 Target Infrastructure Research
Amplifies the impact / opportunities of all other stages of the attack cycle Stuxnet-level attacks aren’t possible without research Thus the “low-hanging fruit” of attackers can cause significant damage Modified

21 Cyber-Physical Systems Security
vendor backdoors are common 1990’s network interface cards, easy to DoS very hard to patch / update Hacking: it’s like its 1980’s, once you get inside the network

22 Cyber-Physical Systems Security
Security designed by Engineers != Security No modern security like: Executable Exploit Mitigations: ASLR DEP / N^X / W^X Control Flow Locking GS / Stack cookies (compiler dependent) safe heap allocators (compiler dependent) kernel / file integrity watchdogs

23 CPS Commodity-Threats
GLEG Ltd (Russian Company) sells: Agora: since 2006, contains 160+ CPS exploitation modules SCADA+: project containing “ALL publicly available SCADA vuln”s in one exploit pack Core Impact sells: ExCraft SCADA Pack: 50+ CPS exploitation modules

24 CPS Commodity-Threats (free)
SamuraiSTFU (Security Testing Framework for Utilities) provides: collection of web, network, and hardware exploitation tools targeted for utility security teams/security firms. Metasploit provides: several exploitation modules as well in the nice popular metasploit framework SCADA Vulnerability and Exploit-PoC Repository:

25 how often do these things even get attacked anyways???
So what? how often do these things even get attacked anyways???

26 Cyber-Physical Systems Threats
ICS CERT: Surge In Brute-Force Attacks Against Energy Industry (06/2013) Addressing Cyber Threats to Oil and Gas Suppliers (June 2013) increasing threats, ranging from cyber espionage by foreign intelligence, to attempts to disrupt operations Congressional Report: “Electric Grid Vulnerability: Industry Responses Reveal Security Gaps” (May) Bleak outlook. Cyber threats against CPS are far likelier and riskier than high-altitude EMP detonations

27 Cyber-Physical Systems Threats
From : BlackEnergy APT campaign SandWorm APT campaign also used blackenergy malware Dragonfly APT campaign aka Energetic Bear / Crouching Yeti targets IEC 60870 …. Each of these has been going on for years and were only discovered in 2014 NEW

28 Getting Situational Awareness in ICS / SCADA

29 CPS Honeypots CISCO CIAG’s SCADA HONEYPOT (2004)
DIGITAL BOND’s SCADA Honeynet Project (2010) CONPOT - The Honeynet Project’s ICS Honeypot TREND MICRO’s closed-source honeypot project ROS Honeypot

30 Plus... We’re good OK at tracking the attacks against cyber…
What about how cyber attacks against one end of a CPS can affect directly/indirectly other parts of the physical system. upstream downstream

31 RobotOS (ROS) Honeypot
The ROS honeypot is the 1st true cyber-physical honeypot DEFCON 20 experiment providing a high-interaction vulnerable HMI that interfaces with actual robotic hardware running ROS. Thus, is able to capture cyber attacks against the underlying physical system

32 RobotOS (ROS) Honeypot

33 RobotOS (ROS) Honeypot
But this solution would not scale for large CPS… Too expensive Too complicated High maintenance

34 Symbolic Honeynets for Gathering Cyber-Physical Threat Intelligence

35 Symbolic Cyber-Physical Honeynet (SCyPH) Framework
Novel features: symbolic simulation/analysis of physical part emulation of everything else (SCADA / ICS protocols) Provides realistic stimuli to HMI = believable target Allows capture of post-exploitation behavior Organize and highlight attack data in a “cyber-physical-anomaly-centric manner” Modified

36 Symbolic Cyber-Physical Honeynet (SCyPH) Framework
Why “Symbolic”??? The anomaly detection engine analyzes each parameter as a set of symbols. doesn’t care about the data types voltage, current, temperature, load, status, ... NEW

37 Honeynet and SCADA HMI Logging
SCyPH Server Model The Honeynet Layer The Interaction Layer Infrastructure Modeling Layer eth0 Internet Exposed Interface HONEYNET FRAMEWORK vmnet0 (virtual bridge to eth0) vmnet1 host-only mode Simulated cyber-physical systems vmnet2 Isolated host-only Exposed Honeynet SCADA HMI The Logging Layer Honeynet and SCADA HMI Logging Anomaly Detection

38 Symbolic Cyber-Physical Honeynet (SCyPH) Framework
Design Principles: All components are modular HMI interaction is coupled with the simulated physical model multiple HMI’s all reflect one overall physical model Layers are strictly partitioned MODIFIED

39 Symbolic Cyber-Physical Honeynet (SCyPH) Framework
Designed to: facilitate greater interactivity than existing cyber-physical honeypots, to entice more sophisticated threat actors be easier to expand upon present data in a higher order representation. physics anomalies presented with corresponding network traffic MODIFIED

40 Infrastructure Modeling Layer
Symbolic data flow model which simulates the physical parts of a cyber-physical system, Provides realistic stimuli to HMI = believable target Based on Kahn Process Network (KPN) Many engineering models based on KPN model IML’s data flow model defines a process by a set of signals, actors, and firing rules.

41 Any questions? References

Download ppt "Mike Burmester Work with W. Owen Redwood and Joshua Lawrence"

Similar presentations

David Grochocki et al.  Lures Potential attackers  Smartmeters do two way communication  Millions of Meters has to be replaced  Serious damages just.

David Grochocki et al.  Lures Potential attackers  Smartmeters do two way communication  Millions of Meters has to be replaced  Serious damages just.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.

Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.
Team Dec13_11: Cole Hoven Jared Pixley Derek Reiser Rick Sutton Adviser/Client: Prof. Manimaran Govindarasu Graduate Assistant: Aditya Ashok PowerCyber.

Team Dec13_11: Cole Hoven Jared Pixley Derek Reiser Rick Sutton Adviser/Client: Prof. Manimaran Govindarasu Graduate Assistant: Aditya Ashok PowerCyber.
Manufacturing Productivity Solutions Management Metrics for Lean Manufacturing Companies Total Productive Maintenance (T.P.M.) Overall Equipment Effectivity.

Manufacturing Productivity Solutions Management Metrics for Lean Manufacturing Companies Total Productive Maintenance (T.P.M.) Overall Equipment Effectivity.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
 A system consisting of a number of remote terminal units (or RTUs) collecting field data connected back to a master station via a communications system.

 A system consisting of a number of remote terminal units (or RTUs) collecting field data connected back to a master station via a communications system.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Secure Systems Research Group - FAU 1 SCADA Software Architecture Meha Garg Dept. of Computer Science and Engineering Florida Atlantic University Boca.

Secure Systems Research Group - FAU 1 SCADA Software Architecture Meha Garg Dept. of Computer Science and Engineering Florida Atlantic University Boca.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Annarita Giani, UC Berkeley Bruno Sinopoli & Aakash Shah, Carnegie Mellon University Gabor Karsai & Jon Wiley, Vanderbilt University TRUST 2008 Autumn.

Annarita Giani, UC Berkeley Bruno Sinopoli & Aakash Shah, Carnegie Mellon University Gabor Karsai & Jon Wiley, Vanderbilt University TRUST 2008 Autumn.
Towards a Distributed, Service-Oriented Control Infrastructure for Smart Grid ASU - Cyber Physical Systems Lab Professor G. Fainekos Presenter: Ramtin.

Towards a Distributed, Service-Oriented Control Infrastructure for Smart Grid ASU - Cyber Physical Systems Lab Professor G. Fainekos Presenter: Ramtin.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.

K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.
An Introduction to SCADA Fundamentals and Implementation

An Introduction to SCADA Fundamentals and Implementation

Similar presentations

Ads by Google