1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta.

Slides:



Advertisements
Similar presentations
Arctic IEC-104 Gateway Jari Lahti, CTO.
Advertisements

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Supervisory Control & Data Acquisition Communication Technology Modbus Protocol.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
IS Network and Telecommunications Risks
Security Awareness: Applying Practical Security in Your World
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Business Data Communications, Fourth Edition Chapter 10: Network Security.
IEEE Wireless Local Area Networks (WLAN’s).
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
NETWORK SECURITY.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
A Critical Infrastructure Testbed for Cybersecurity Research and Education Ai Onda, Kalana Pothuvila, Joseph Urban, and Jordan Berg Abstract Awareness.
SSH Secure Login Connections over the Internet
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
AS Computing F451 F451 Data Transmission. What data is transmitted? Phone SMS Radio TV Internet.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.
Chapter 13 – Network Security
Application Protocol for Veris E30 Panel-board Monitoring System Jaein Jeong UC Berkeley LoCal Workshop Oct 5 th, 2009.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Supplementary to Presentation on Kiosk Services ATM System Overview TrigMax Enterprise Solutions Mason Liu, Ph.D.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
Network Security & Accounting
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Chapter 3.  Upon completion of this chapter, you should be able to:  Select and install network cards to meet network connection requirements  Connect.
A Network Security -Firewall Bruce Turin.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.
Role Of Network IDS in Network Perimeter Defense.
IS3220 Information Technology Infrastructure Security
K. Salah1 Security Protocols in the Internet IPSec.
+ Lecture#2: Ethernet Asma ALOsaimi. + Objectives In this chapter, you will learn to: Describe the operation of the Ethernet sublayers. Identify the major.
Cryptography CSS 329 Lecture 13:SSL.
Information Systems Design and Development Security Precautions Computing Science.
Chapter 13 Network Security Auditing Antivirus Firewalls Authentication Authorization Encryption.
Communication.
Products/Solutions/Expertise of C-DAC Mumbai in Smart City Domain
SCADA DATA ACQUISTION MODULE
How SCADA Systems Work?.
Introduction to Network Security
Applying Policy-Based Intrusion Detection to SCADA Networks
Presentation transcript:

1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta Joint Research Centre (JRC) The European Commission’s Research-Based Policy Support Organisation Insubria University

2 Consequences of pervasive ICT in Critical Infrastructures New Attack Scenarios Public Network Supervisory Control and Data Acquisition (SCADA) Supervisory Control and Data Acquisition (SCADA) Today most of critical infrastructures depend highly on the underlying communication networks Today most of critical infrastructures depend highly on the underlying communication networks New Vulnerabilities New Risks

3 An Example: The ModBUS frame ModBUS serial frame ModBUS TCP/IP frame MBAP Header: Transaction Identifier Protocol Identifier Length Unit Identifier RS232 RS422/ bytes + 1 byte + 2 bytes = 256 bytes (PDU) (sl. ADDR) (CRC) Max ADU 253 bytes + 1 byte + 2 bytes = 256 bytes (PDU) (sl. ADDR) (CRC) Max ADU 253 bytes + 7 byte = 260 bytes (PDU) (MBAP) Max ADU 253 bytes + 7 byte = 260 bytes (PDU) (MBAP) Max ADU

4 SCADA Protocols Vulnerabilities Unauthorized Command Execution Man-in-the-Middle Replay-attacks Repudiation …authentication… …integrity… …freshness…

5 Time-stamp SHA2 digest (256 bit) RSA signature on the SHA2 digest Secure Modbus Prototype DataFuntionMBAP TS ModBUS TCP/IP frame SHA2 (E-Modbus) E-Modbus pKM S-Modbus pkt

6 Considerations A secure protocol does not protect from the corruption of the traffic originator, i.e. the Master…

7 {data} PKm {TS|ModBUS} PKm {{{TS|ModBUS} PKm } PKt } SKt K-Survivable SCADA Architecture Attacks : Unauth. Com. Exec. Reply Attack Master infection Master-FU infection Attacks : Unauth. Com. Exec. Reply Attack Master infection Master-FU infection Slave Solutions : Signature Secure ModBUS Filtering Unit Multiple FU Solutions : Signature Secure ModBUS Filtering Unit Multiple FU Attacker FU Msg Attacker PKm = Private Key Master SKm = Public key Master TS = Time Stamp FU = Filtering Unit PKf = Private key FU SKf = Public key FU {{{TS|ModBUS} PKm } SKm {TS|ModBUS} Master Attacker DataFuntionMBAP TS ModBUS TCP/IP frame {TS|ModBUS} PKm { {TS|ModBUS} PKm } PKf {TS|ModBUS} PKm - Different Architecture - SO: Linux, windows - Different Architecture - SO: Linux, windows Scada FW

8 Open V2...Problem... R1: PKT(###) R2: R3: PKT(^&%) Cl. V1 Locally licit commands put the system into a critical state Locally licit commands put the system into a critical state PLC1 PLC3 PLC2 Filtering Cloud Alert ! Close V1 Close V3 PKT(###)

9 …but… ICT Signature based IDS Safety Analysis ICT Signature based IDS Safety Analysis ICT World Industrial World

10 State Based Approach (1) SCADA System Representation

11 State Based Approach (3) Critical State Representation IF ( PLC[ ].HR[1] < 20 AND PLC[ ].HR[2] > 70 ) THEN “The system is in a critical state” 0 100

12 State Based Filter Architecture

13 Loader: Virtual System Loader

14 IF ( PLC[ ].HR[1] > 70 OR PLC[ ].HR[2] < 20 ) AND ( PLC[ ].CO[0] = 0 OR NOT PLC[ ].CO[1] = 1 ) THEN ALERT Loader: Critical State Rules Loader PLC[ ].HR[1] > 70 OR PLC[ ].HR[2] < 20 PLC[ ].CO[0] = 0 NOT PLC[ ].CO[1] = 1 AND

15 SVI: Update System Manager Virtual System 1

16 SVI: Real System Synchronizer Virtual System Before Virtual System After Query Field Devices System Update

17 Analyzer: Critical State Analyzer Virtual System 1 IF ( PLC[ ].CO[1] == 1 ) THEN ALERT

18 The Power system SCADA lab Contains: -Idrolab (+150 sensors/actuators) -Control room -3 SCADA systems Hardware and Software: -20 High Performance Servers -150 High End PCs and notebooks -10 Layer 3, 24 ports, gigabit switches -4 High Performance wireless switches -1 Nokia-checkpoint solid state Firewall -4 full network racks -18 km of network cables -300 gigabit network cards -A 100 KW cooling system -A 100 KW UPS system

19 JRC SCADA LAB. PLC - RTU Actuators Sensors Actuators Sensors

20 Test: Encryption Layer

21 Test: Packet Loss Master: sends request packets of 260 bytes Slave: responds with responses of 260 bytes Requests Sent Responses Sent Size Request315 bytes Size Response315 bytes Request Rate1 request sent each 1 ms Rate615,2 kbytes/s Packet Loss0

22 Test: Single Signature Rules Analyzer Num RulesAverage Time (on 1000 pkts) ms ms ms ms ms ms Master: sends 1000 request Slave: responds with 1000 responses Filter: captures the messages and checks if they are licit, according to a rules file which contains n-rules.

23 Test: Virtual System Update Num CoilsAverage Time (on 1000 pkts) 10, ms 500, ms 1000, ms 5000, ms 10000, ms 20000, ms Master: sends 1000 request with the command “Read n-coils” Slave: responds with 1000 responses which contains the n-values. Filter: captures the request/response transaction and updates the n-values in the Virtual System.

24 Test: Critical State Rules Analyzer (1) Num ConditionsAverage Time (on 1000 pkts) 20, ms 160, ms 640, ms 1280, ms 2560, ms 5120, ms 10241, ms Master: sends 1000 generic requests Slave: responds with 1000 responses Filter: captures the req/res transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains only one rule with n-conditions.

25 Test: Critical State Rules Analyzer (2) Num RulesAverage Time (on 1000 pkts) 100, ms 500, ms 1001, ms 5002, ms 10005, ms 20009, ms Master: sends 1000 generic requests Slave: responds with 1000 responses Filter: captures the request/response transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains n-rules.

26 Thousands of devices to monitor Hundreds of Subsystems Geographically sparse systems System of Systems Impossible to analyze states on a single level Impossible to analyze states on a single level

27 Future Works –Abstract Aggregation –Critical State Prediction –Critical State Prediction based Firewalls –Lightweight Cryptographic mechanisms for SCADA protocols