1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta Joint Research Centre (JRC) The European Commission’s Research-Based Policy Support Organisation Insubria University
2 Consequences of pervasive ICT in Critical Infrastructures New Attack Scenarios Public Network Supervisory Control and Data Acquisition (SCADA) Supervisory Control and Data Acquisition (SCADA) Today most of critical infrastructures depend highly on the underlying communication networks Today most of critical infrastructures depend highly on the underlying communication networks New Vulnerabilities New Risks
3 An Example: The ModBUS frame ModBUS serial frame ModBUS TCP/IP frame MBAP Header: Transaction Identifier Protocol Identifier Length Unit Identifier RS232 RS422/ bytes + 1 byte + 2 bytes = 256 bytes (PDU) (sl. ADDR) (CRC) Max ADU 253 bytes + 1 byte + 2 bytes = 256 bytes (PDU) (sl. ADDR) (CRC) Max ADU 253 bytes + 7 byte = 260 bytes (PDU) (MBAP) Max ADU 253 bytes + 7 byte = 260 bytes (PDU) (MBAP) Max ADU
4 SCADA Protocols Vulnerabilities Unauthorized Command Execution Man-in-the-Middle Replay-attacks Repudiation …authentication… …integrity… …freshness…
5 Time-stamp SHA2 digest (256 bit) RSA signature on the SHA2 digest Secure Modbus Prototype DataFuntionMBAP TS ModBUS TCP/IP frame SHA2 (E-Modbus) E-Modbus pKM S-Modbus pkt
6 Considerations A secure protocol does not protect from the corruption of the traffic originator, i.e. the Master…
7 {data} PKm {TS|ModBUS} PKm {{{TS|ModBUS} PKm } PKt } SKt K-Survivable SCADA Architecture Attacks : Unauth. Com. Exec. Reply Attack Master infection Master-FU infection Attacks : Unauth. Com. Exec. Reply Attack Master infection Master-FU infection Slave Solutions : Signature Secure ModBUS Filtering Unit Multiple FU Solutions : Signature Secure ModBUS Filtering Unit Multiple FU Attacker FU Msg Attacker PKm = Private Key Master SKm = Public key Master TS = Time Stamp FU = Filtering Unit PKf = Private key FU SKf = Public key FU {{{TS|ModBUS} PKm } SKm {TS|ModBUS} Master Attacker DataFuntionMBAP TS ModBUS TCP/IP frame {TS|ModBUS} PKm { {TS|ModBUS} PKm } PKf {TS|ModBUS} PKm - Different Architecture - SO: Linux, windows - Different Architecture - SO: Linux, windows Scada FW
8 Open V2...Problem... R1: PKT(###) R2: R3: PKT(^&%) Cl. V1 Locally licit commands put the system into a critical state Locally licit commands put the system into a critical state PLC1 PLC3 PLC2 Filtering Cloud Alert ! Close V1 Close V3 PKT(###)
9 …but… ICT Signature based IDS Safety Analysis ICT Signature based IDS Safety Analysis ICT World Industrial World
10 State Based Approach (1) SCADA System Representation
11 State Based Approach (3) Critical State Representation IF ( PLC[ ].HR[1] < 20 AND PLC[ ].HR[2] > 70 ) THEN “The system is in a critical state” 0 100
12 State Based Filter Architecture
13 Loader: Virtual System Loader
14 IF ( PLC[ ].HR[1] > 70 OR PLC[ ].HR[2] < 20 ) AND ( PLC[ ].CO[0] = 0 OR NOT PLC[ ].CO[1] = 1 ) THEN ALERT Loader: Critical State Rules Loader PLC[ ].HR[1] > 70 OR PLC[ ].HR[2] < 20 PLC[ ].CO[0] = 0 NOT PLC[ ].CO[1] = 1 AND
15 SVI: Update System Manager Virtual System 1
16 SVI: Real System Synchronizer Virtual System Before Virtual System After Query Field Devices System Update
17 Analyzer: Critical State Analyzer Virtual System 1 IF ( PLC[ ].CO[1] == 1 ) THEN ALERT
18 The Power system SCADA lab Contains: -Idrolab (+150 sensors/actuators) -Control room -3 SCADA systems Hardware and Software: -20 High Performance Servers -150 High End PCs and notebooks -10 Layer 3, 24 ports, gigabit switches -4 High Performance wireless switches -1 Nokia-checkpoint solid state Firewall -4 full network racks -18 km of network cables -300 gigabit network cards -A 100 KW cooling system -A 100 KW UPS system
19 JRC SCADA LAB. PLC - RTU Actuators Sensors Actuators Sensors
20 Test: Encryption Layer
21 Test: Packet Loss Master: sends request packets of 260 bytes Slave: responds with responses of 260 bytes Requests Sent Responses Sent Size Request315 bytes Size Response315 bytes Request Rate1 request sent each 1 ms Rate615,2 kbytes/s Packet Loss0
22 Test: Single Signature Rules Analyzer Num RulesAverage Time (on 1000 pkts) ms ms ms ms ms ms Master: sends 1000 request Slave: responds with 1000 responses Filter: captures the messages and checks if they are licit, according to a rules file which contains n-rules.
23 Test: Virtual System Update Num CoilsAverage Time (on 1000 pkts) 10, ms 500, ms 1000, ms 5000, ms 10000, ms 20000, ms Master: sends 1000 request with the command “Read n-coils” Slave: responds with 1000 responses which contains the n-values. Filter: captures the request/response transaction and updates the n-values in the Virtual System.
24 Test: Critical State Rules Analyzer (1) Num ConditionsAverage Time (on 1000 pkts) 20, ms 160, ms 640, ms 1280, ms 2560, ms 5120, ms 10241, ms Master: sends 1000 generic requests Slave: responds with 1000 responses Filter: captures the req/res transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains only one rule with n-conditions.
25 Test: Critical State Rules Analyzer (2) Num RulesAverage Time (on 1000 pkts) 100, ms 500, ms 1001, ms 5002, ms 10005, ms 20009, ms Master: sends 1000 generic requests Slave: responds with 1000 responses Filter: captures the request/response transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains n-rules.
26 Thousands of devices to monitor Hundreds of Subsystems Geographically sparse systems System of Systems Impossible to analyze states on a single level Impossible to analyze states on a single level
27 Future Works –Abstract Aggregation –Critical State Prediction –Critical State Prediction based Firewalls –Lightweight Cryptographic mechanisms for SCADA protocols