A Critical Infrastructure Testbed for Cybersecurity Research and Education Ai Onda, Kalana Pothuvila, Joseph Urban, and Jordan Berg Abstract Awareness.

Slides:

Advertisements

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Advertisements

SCADA Security, DNS Phishing

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta.

Supervisory Control & Data Acquisition Communication Technology Modbus Protocol.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

A Virtual Environment for Investigating Counter Measures for MITM Attacks on Home Area Networks Lionel Morgan 1, Sindhuri Juturu 2, Justin Talavera 3,

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

1 ICMP : Internet Control Message Protocol Computer Network System Sirak Kaewjamnong.

Sindhuri Juturu Department of Computer Science Texas Tech University

Module 1: Reviewing the Suite of TCP/IP Protocols.

 An Overview of IE 4382/5382 Cybersecurity for Information Systems Susan D. Urban, Ph.D Department of Industrial Engineering Texas Tech University Lubbock,

Cyber Security of SCADA Systems Testbed Testbed Development Group Members: Justin Fitzpatrick Rafi Adnan Michael Higdon Ben Kregel Adviser: Dr. Manimaran.

Approach Overview Using Dorothy, an enhanced version of the Alice 2.0 source code, and a Scribbler robot, it is our aim to increase interest in computer.

A First Course in Information Security

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

Guide to TCP/IP, Third Edition

Whitacre College of Engineering Panel Interdisciplinary Cybersecurity Education Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity.

Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity for Critical Infrastructure Course Flow Diagrams May 2-3, 2013 Support.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Abstract A software development life cycle can be divided into requirements elicitation, specification, design, implementation, testing, and maintenance.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

ICMP : Internet Control Message Protocol. Introduction ICMP is often considered part of the IP layer. It communicates error messages and other conditions.

NETWORK SECURITY PRESENTed By SADASIVARAO.G. ABSTRACT:  Network security is a complicated subject, historically only tackled by well-trained and experienced.

Whitacre College of Engineering Panel Interdisciplinary Cybersecurity Education Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity.

1 Investigating Internet Performance USF 2003 RET Program Tahvia Shaw.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity for Critical Infrastructure Workshop Summary May 3, 2013 Support for.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

The Open Source Virtual Lab: a Case Study Authors: E. Damiani, F. Frati, D. Rebeccani, M. Anisetti, V. Bellandi and U. Raimondi University of Milan Department.

EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:

Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 4 Internet Control Message Protocol (ICMP)

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.

Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

DoS/DDoS attack and defense

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

Role Of Network IDS in Network Perimeter Defense.

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo.

1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

Cyber Security in the Water Sector

CompTIA Security+ Study Guide (SY0-401)

Xenia Mountrouidou (Dr. X)

21-2 ICMP(Internet control message protocol)

DT80 range Modbus capability

How SCADA Systems Work?.

Error and Control Messages in the Internet Protocol

Detection and Analysis of Threats to the Energy Sector (DATES)

CompTIA Security+ Study Guide (SY0-401)

Internet Control Message Protocol Version 4 (ICMPv4)

SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke

CRITICAL INFRASTRUCTURE CYBERSECURITY

Comparison to existing state of security experimentation

Strategic threat assessment

Cyber Security of SCADA Systems Remote Terminal Units (RTU)

Presentation transcript:

A Critical Infrastructure Testbed for Cybersecurity Research and Education Ai Onda, Kalana Pothuvila, Joseph Urban, and Jordan Berg Abstract Awareness for cybersecurity in critical infrastructure is imperative because critical infrastructures are vital to our economy and public safety. Supervisory Control and Data Acquisition (SCADA) systems are networks of computers that monitor and control industrial machines and processes, prevalent in critical infrastructures. Unfortunately, SCADA systems are vulnerable to cybersecurity threats, giving an opening to attacks. Testbeds provide a safe environment to observe how attacks occur and their possible effects on a real system. In this project, a simple and reconfigurable testbed was created and attacked for the purpose of research and education in this area of vital National importance. The initial focus of the testbed attacks were on industrial control system attacks, thus, under this approach, the attacker has already breached the Information and Communications Technology (ICT) security measures and is preparing to compromise the industrial control network. The testbed includes three modules: the Local Area Network (LAN), a serial Modbus/RTU Programmable Logic Controller (PLC) network, and a Modbus/TCP to Modbus/RTU translation gateway. We attacked the sensors and motors by ping flooding. The sensors and motors timed out, causing the Human Machine Interface (HMI) to lose connection with them. The testbed and related attack methods will be used by educational institutions for lab courses concerning cybersecurity in critical infrastructures, increasing critical infrastructure awareness and security skills in future generations of cybersecurity professionals. Introduction Critical infrastructure is vital to our economy and public safety Supervisory Control and Data Acquisition (SCADA) systems Are networks of computers that monitor and control industrial machines and processes Are vulnerable Vulnerabilities include insecure protocols, lack of program updates, and access from the Internet [1, 2] Increase in critical infrastructure espionage and sabotage attacks “Repository of Industrial Security Incidents (RISI), which records cyber security incidents directly affecting SCADA and process control systems, shows the number of incidents increasing by approximately 20% a year over the last decade” [3] Testbeds provide insight into the causes and effects of attacks on a system, and as a result, enhance awareness of the current state of industrial control systems security Methods Modbus/RTU PLC network Created communication between two slave PLCs and master PLC using built in Modbus/RTU protocol, uploading ladder logic program on the master PLC Created communication between master micrcontroller and slave microcontroller using Modbus/RTU library for Arduino, “simple-modbus” [6] Gateway Determining how to physically connect PLC to gateway microcontroller Attack Performed ping flood on motor and sensor with “sudo ping –f [IP Address]” Creating packet flooder with Java that generates different types of packets including ICMP, UDP, and SYN Summary Results PLC network completed Disrupted service through ping flooding motor and sensor Incoming and outgoing channels congested with ICMP Echo packets from the client and ICMP Echo Reply packets from the server HMI cannot connect with motor and sensor during attack HMI connects with motor and sensor after stopping attack Future Work Complete gateway that translates Modbus/TCP to Modbus/RTU Complete packet flooder to observe effects of different packet types on testbed Implement methods other than Denial of Service attacks, including attacks to achieve pre-determined results Incrementally increase difficulty of attacks and place firewall in testbed to prevent ping flood References [1] Huitsing, P., Chandia, R., Papa, M., and Shenoi, S., “Attack taxonomies for the Modbus protocols,” International Journal of Critical Infrastructure Protection, vol. 1, pp , Dec [2] Fovino, I., Carcano. A, Masera, M., and Trombetta, A., “An experimental investigation of malware attacks on SCADA systems,” International Journal of Critical Infrastructure Protection, vol. 2, no. 4, pp , Dec [3] Staggs, K., and Byres, E., “Cyber wars,” Hydrocarbon Eng., Oct, [4] MODICON, Inc., “Modicon Modbus Protocol Reference Guide,” The Modbus Organization, June, 1996, [Online]. Available: [Accessed: July 2013]. [5] “Modbus TCP/IP,” Simply Modbus, [Online]. Available: [Accessed: July 2013]. [6] Bester, J., “simple-modbus,” Google Code, [Online]. Available: [Accessed: July 2013]. Testbed System DISCLAIMER: This material is based on work supported by the National Science Foundation and the Department of Defense under grant No. CNS Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation or the Department of Defense. Objectives Create a simulation testbed that Uses different industrial vulnerabilities and protocols Allows for quick emulation of different attack situations Simulates an Internet connected SCADA system Design attacks for the testbed by reviewing and analyzing existing attack techniques “ArduinoUnoFront.jpg,” Arduino, [Online]. Available: [Accessed: July 2013]. “C000drd_small.jpg,” PLC Direct Benelux, [Online]. Available: [Accessed: July 2013]. Modbus Family of Protocols Modbus: Simple master and slave relationship; Master sends packet containing function code and data to slave, slave responds with packet containing same function code and different data Variations of Modbus: Serial Modbus (Modbus/RTU and Modbus/ASCII) and Modbus/TCP StartSlave ID (1 byte) Function Code (1byte) Data (varies) CRC Checksum (2 bytes) End IPTCPTransaction ID (2 bytes) Protocol ID (2 bytes) Length (2 bytes) Slave ID (1 byte) Function Code (1 byte) Data (varies) Ping Before ping flooding motor. All packets received by the motor with an average round trip time of 1 ms. After ping flooding motor. “Request timed out.” All packets lost. Before ping flooding sensor. All packets received by the sensor with an average round trip time of 2 ms. After ping flooding sensor. “Request timed out.” All packets lost. Modbus/TCP Packet Structure [5] Texas Tech University 2013 National Science Foundation Research Experiences for Undergraduates Site Project Modbus/RTU Packet Structure [4] Sensor Motor