Jinyuan Stella Sun UTK Fall 2015 Vulnerability Assessment in Smart Grids.

Slides:



Advertisements
Similar presentations
Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Advertisements

Computer Security and Penetration Testing
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Team Dec13_11: Cole Hoven Jared Pixley Derek Reiser Rick Sutton Adviser/Client: Prof. Manimaran Govindarasu Graduate Assistant: Aditya Ashok PowerCyber.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
A Virtual Environment for Investigating Counter Measures for MITM Attacks on Home Area Networks Lionel Morgan 1, Sindhuri Juturu 2, Justin Talavera 3,
Introduction (Pendahuluan)  Information Security.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Greenbench: A Benchmark for Observing Power Grid Vulnerability Under Data-Centric Threats Mingkui Wei, Wenye Wang Department of Electrical and Computer.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer.
Securing Information Systems
ISEC0511 Programming for Information System Security
Computer Security and Penetration Testing
Lessons Learned in Smart Grid Cyber Security
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Cryptography and Network Security
Event Stream Processing for Intrusion Detection in ZigBee Home Area Networks Sandra Pogarcic, Samujjwal Bhandari, Kedar Hippalgaonkar, and Susan Urban.
 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.
BUSINESS B1 Information Security.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Software Security Testing Vinay Srinivasan cell:
Doc.: IEEE ai Submission Paul Lambert, Marvell Security Review and Recommendations for IEEE802.11ai Fast Initial Link Setup Author:
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
Linux Networking and Security
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
CIP 2015 Smart Grid Vulnerability Assessment Using National Testbed Networks IHAB DARWISHOBINNA IGBETAREQ SAADAWI.
23 July 2003 PM-ITTS TSMOTSMO Information Assessment Test Tool (IATT) for IO/IW Briefing by: Darrell L Quarles Program Director U.S. Army Threat Systems.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
ISACA – Charlotte Chapter June 3, 2014 Mark Krawczyk, CISA, CISSP, CCNA.
Security in Networks Single point of failure Resillence or fault tolerance CS model.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Azam Supervisor : Prof. Raj Jain
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Lab #2 NET332 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,
Security Operations Chapter 11 Part 3 Pages 1279 to 1309.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Teaching Security of Internet of Things in Using RaspberryPi Oliver Nichols, Li Yang University of Tennessee at Chattanooga Xiaohong Yuan North Carolina.
[blank page for bug work-around]
CS457 Introduction to Information Security Systems
Summary of our work Password Eavesdropping
Penetration Testing: Concepts,Attacks and Defence Stratagies
A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Computer Networks 9/17/2018 Computer Networks.
Network Security and Monitoring
Advanced Penetration testing
Module 8: Securing Network Traffic by Using IPSec and Certificates
Cyber Security of SCADA Systems Remote Terminal Units (RTU)
Presentation transcript:

Jinyuan Stella Sun UTK Fall 2015 Vulnerability Assessment in Smart Grids

 Background  Roadmap  Vulnerability Assessment of Phasor Networks  Defense and countermeasures Contents 2

 The advent of Smart Grid  A class of technologies used to modernize electricity delivery systems, using computer- based remote control and automations  Two-way communication and computer processing that has been used for decades in other industries Background 3

 The advent of Smart Grid  Benefits by incorporating richer data  Better interoperability  Big improvements in efficiency  Electricity delivery system  Energy users  A more resilient power grid Background 4

 Data security is critical  Security: control, operation, applications in the smart grid rely on accurate and timely data Background 5

 Data security under threat  External: hackers, state sponsored cyberwarfare targeting the critical infrastructure.  Internal: Disgruntled employee, industrial espionage Background 6

News on attacks on decoy SCADA system Background Bloomberg News 9/30/2014 7

Background 8

Challenges  New technologies  Larger volume, wider variety  More entities involved  Multiple data creators (ownership)  Multiple data consumers  Private data cross multiple trust boundaries Background 9

 Data-centric perspective Background 10

 Research topics Roadmap 11 Vulnerability Assessment of Phasor Network

 Introduction  Phasor network enables many useful phasor data applications  Phasor data applications rely on accurate and timely phasor data collected and transferred by the phasor network  Vulnerabilities may exist in the standards, protocols, implementations, and configurations of the phasor network technologies. Phasor Network Applications 12

 Vulnerability assessment  The process of identifying, quantifying, and prioritizing the vulnerabilities of a system, network, or application. What is Vulnerability Assessment? 13

 State-of-the-art  Zhu, Bonnie, Anthony Joseph, and Shankar Sastry. "A taxonomy of cyber attacks on SCADA systems." Internet of Things (iThings/CPSCom), 2011 International Conference on and 4th International Conference on Cyber, Physical and Social Computing. IEEE,  Stewart, John, et al. "Synchrophasor Security Practices." (2010).  Sridhar, Siddharth, Adam Hahn, and Manimaran Govindarasu. "Cyber–physical system security for the electric power grid." Proceedings of the IEEE (2012): Vulnerability Assessment in Literature 14

 Preliminary  Phasor network A Typical Phasor Network 15

 Preliminary  IEEE C standard  Synchronization to the UTC time  Time accuracy  Definitions of synchrophasors  Criterion for the evaluation of quality of synchrophasor measurements  Messaging system  Four types of frames  A data transfer protocol IEEE C Standard 16

 Preliminary  IEEE C standard  Frames  Header frame  Configuration frame  Command frame  Data frame C Data Format 17

 Preliminary  IEEE C standard  Protocol C Protocol 18

 Preliminary  Small prototype of phasor network Prototype Phasor Network 19 openPDC

 What is penetration testing?  Using the discovered vulnerabilities to exploit a system, network, or application  We followed the procedure of penetration testing  Formally, it is defined in PTES (penetration testing execution standard)  Pre-engagement interactions  Intelligence gathering  Threat modeling  Vulnerability analysis  Exploitation  Post-exploitation  Reporting Penetration Testing Procedure 20

 We focus on the key steps  Reconnaissance  Exploitation  Exploit development -exploit: an exploit is the means by which an attacker, or pentester, takes advantage of a flaw within a system, an application, or a service. An attacker uses an exploit to attack a system in a way that results in a particular desired outcome that the developer never intended. Key Steps 21

 Reconnaissance  Collect information about the system under test  Host discovering, operating system fingerprinting, packet sniffing  Social engineering Reconnaissance 22

 Vulnerability Exploitation  Validate the possible vulnerabilities  Automated  Manual Exploitation 23

 Exploit development  Develop practical attacks that exploits the vulnerabilities  Serve as a proof to convince the asset owner their system is vulnerable  Provide mitigation recommendations Exploit Development 24

 Packet Sniffing  Shared media network: listening to network traffic using NIC under promiscuous mode  Switched network: MAC flooding or ARP poisoning to force the network traffic to be forwarded to the sniffer  Wireshark  Packet Injection  Send packets to target network service.  Packets appear to be legitimate but will interfere normal execution of the network services or applications.  Scapy  Fuzz testing (Fuzzing)  Enumerate all possible inputs (emulate inputs that cross trust boundaries)  Test the devices with frames carrying the enumerated inputs  Identify inputs that cause the network service to behave abnormally or even crash  Scapy Pentesting Techniques/Attacks Used 25

 Metasploit  Consists of modules: auxiliaries, exploits, payloads  Kali Linux  Contains more than 300 pentesting tools for various use cases (password cracking, wireless attack, …)  Nmap  Network mapper  Contains a set of tools: Nmap, Nping, Zenmap Common Pentesting Tools 26

 Reconnaissance Result – Host discovering Reconnaissance Result (1) 27

 Reconnaissance Result – Packet sniffing 28 Reconnaissance Result (2)

 Summary of Reconnaissance Result  Packets are not encrypted or integrity protected  PMU/PDC ID  Configuration information of the data frame  Possible attacks: eavesdropping, packet modification  Lack of user or message authentication mechanisms  Possible attacks: packet injection, impersonation  Stateful Protocol  Possible attacks: Denial-of-Service (DoS)  PDC stores and processes external inputs using SQL  Possible attacks: SQL injection Reconnaissance Result Summary 29

 Vulnerability Exploitation  Criteria for choosing vulnerabilities  Easy to exploit  High impact on the data security Exploitation 30

 Vulnerability Exploitation Exploitation Details 31

 Vulnerability Exploitation - Lack of encryption  Eavesdropping Exploitation Result (1) 32 Captured C Command Frame: start data transmission

 Vulnerability Exploitation - Lack of encryption  Eavesdropping Exploitation Result (2) 33 Captured C Command Frame: stop data transmission

 Vulnerability Exploitation - Lack of encryption  Eavesdropping Exploitation Result (3) 34 Captured C Command Frame: stop data transmission

 Vulnerability Exploitation - Lack of encryption  Eavesdropping Exploitation Result (4) 35 Captured C Data Frame

 Vulnerability Exploitation  Lack of user and message authentication  frame spoofing  Procedures  Capture an authentic frame  Duplicate the captured frame but change the bytes that indicate the actual commands, measurements, or configurations to the spoofing values.  Change the time stamp of the frame  Recalculate the checksum  Inject the forged frames Exploitation Result (5) 36

 Vulnerability Exploitation -Lack of user and message authentication -Command frame spoofing Exploitation Result (6) 37

 Vulnerability Exploitation  Lack of user and message authentication  Command frame spoofing Exploitation Result (7) 38

 Vulnerability Exploitation  Lack of user and message authentication  Configuration frame spoofing Exploitation Result (8) 39

 Vulnerability Exploitation  Lack of user and message authentication  Data frame spoofing Exploitation Result (9) 40

 Vulnerability Exploitation  Mishandling of unexpected frames  To improve the efficiency of fuzzing… Exploitation Result (10) 41 SYNCHRONIZE word: fixed Checksum: recalculate

 Vulnerability Exploitation  Fuzz Testing  Command frame fuzzing: PMU simulator became unresponsive after receiving fuzzed command frames that indicate the command ‘’Send CONFIG-2’’ and duplicate ‘’Turn data transmission on” command frames Exploitation Result (11) 42 On Idle Command: off Command: on Send CONFIG ? ? Command: on

 Vulnerability Exploitation  Fuzz Testing  Command frame fuzzing: PMU simulator became unresponsive after receiving fuzzed frames that indicate the command ‘’Send CONFIG-2’’ and duplicate ‘’Turn data transmission on” command frames.  Configuration frame fuzzing: passed  Data frame fuzzing: passed Exploitation Result (12) 43

 Vulnerability Exploitation  Lack of input validation (SQL injection)  SQL was used to manage the configurations of different registered PMU devices. SELECT * FROM MAIN_CONFIG_TABLE WHERE DEVICE ID = PMU_ID_Number  PMU_ID_Number is provided by external input and extracted from the received configuration frame  If the PMU_ID_Number is specified as “2; DROP TABLE_MAIN_CONFIG_TABLE”  The SQL query becomes: Exploitation Result (13) 44 SELECT * FROM MAIN_CONFIG_TABLE WHERE DEVICE ID = 2; DROP TABLE MAIN_CONFIG_TABLE

 Vulnerability Exploitation  Lack of input validation (SQL injection)  Passed SQL injection test  Sanitize the input  Use parameterized queries with strongly typed parameters Exploitation Result (14) 45 SELECT * FROM MAIN_CONFIG_TABLE WHERE DEVICE ID = PMU_ID_Number Input validation: ensured to be a 16-bit positive integer

 Exploit development: Data stream hijacking  Exploit vulnerabilities – command frame spoofing and data frame spoofing  A practical attack that hijacks the data transmission stream  Can be performed with a Scapy script  Attackers taking over ongoing phasor phasor data transmission and sending falsified measurement data to the upstream PDC to mislead the user of the data.  Demonstrated with WECC 179-bus system model Exploit Development 46

 Exploit development: Data stream hijacking  Scenario Exploit Development Scenario 47 Clustering Analysis of WECC 179 system [SUN2012] WAN

 Exploit development: Data stream hijacking  Testbed set up for demonstration Exploit Development Setup

 Exploit development: Data stream hijacking  Attack timeline Exploit Development Steps

 Exploit development: Data stream hijacking  Wireshark capture during the attack Exploit Development Steps (2)

 Exploit development: Data stream hijacking  Impact on situational awareness Exploit Development Result Manipulated

 Security recommendations and best practices  Use encryption (SSL/TLS, IPsec)  Enable mutual authentication (X.509 certificates)  Use message authentication code (SSL/TLS, IPsec)  End-to-end encryption compatible devices should be preferred  Thorough fuzz testing of all network interfaces  Follow the guideline to avoid SQL injection attack  Deploy an intrusion detection system  Use redundant devices and communication infrastructure Defense and Countermeasures

Let’s Try Password Cracking with Kali  Password cracking - some crackers claim 30% success rate  Try with Kali - John the Ripper - Hashcat - and many more…

Questions 54

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.