Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta.

Similar presentations


Presentation on theme: "1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta."— Presentation transcript:

1 1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta Joint Research Centre (JRC) The European Commission’s Research-Based Policy Support Organisation Insubria University

2 2 Consequences of pervasive ICT in Critical Infrastructures New Attack Scenarios Public Network Supervisory Control and Data Acquisition (SCADA) Supervisory Control and Data Acquisition (SCADA) Today most of critical infrastructures depend highly on the underlying communication networks Today most of critical infrastructures depend highly on the underlying communication networks New Vulnerabilities New Risks

3 3 An Example: The ModBUS frame ModBUS serial frame ModBUS TCP/IP frame MBAP Header: Transaction Identifier Protocol Identifier Length Unit Identifier RS232 RS422/485 253 bytes + 1 byte + 2 bytes = 256 bytes (PDU) (sl. ADDR) (CRC) Max ADU 253 bytes + 1 byte + 2 bytes = 256 bytes (PDU) (sl. ADDR) (CRC) Max ADU 253 bytes + 7 byte = 260 bytes (PDU) (MBAP) Max ADU 253 bytes + 7 byte = 260 bytes (PDU) (MBAP) Max ADU

4 4 SCADA Protocols Vulnerabilities Unauthorized Command Execution Man-in-the-Middle Replay-attacks Repudiation …authentication… …integrity… …freshness…

5 5 Time-stamp SHA2 digest (256 bit) RSA signature on the SHA2 digest Secure Modbus Prototype DataFuntionMBAP TS ModBUS TCP/IP frame SHA2 (E-Modbus) E-Modbus pKM S-Modbus pkt

6 6 Considerations A secure protocol does not protect from the corruption of the traffic originator, i.e. the Master…

7 7 {data} PKm {TS|ModBUS} PKm {{{TS|ModBUS} PKm } PKt } SKt K-Survivable SCADA Architecture Attacks : Unauth. Com. Exec. Reply Attack Master infection Master-FU infection Attacks : Unauth. Com. Exec. Reply Attack Master infection Master-FU infection Slave Solutions : Signature Secure ModBUS Filtering Unit Multiple FU Solutions : Signature Secure ModBUS Filtering Unit Multiple FU Attacker FU Msg Attacker PKm = Private Key Master SKm = Public key Master TS = Time Stamp FU = Filtering Unit PKf = Private key FU SKf = Public key FU {{{TS|ModBUS} PKm } SKm {TS|ModBUS} Master Attacker DataFuntionMBAP TS ModBUS TCP/IP frame {TS|ModBUS} PKm { {TS|ModBUS} PKm } PKf {TS|ModBUS} PKm - Different Architecture - SO: Linux, windows - Different Architecture - SO: Linux, windows Scada FW

8 8 Open V2...Problem... R1: PKT(###) R2: PKT(#@!) R3: PKT(^&%) Cl. V1 Locally licit commands put the system into a critical state Locally licit commands put the system into a critical state PLC1 PLC3 PLC2 Filtering Cloud Alert ! Close V1 Close V3 PKT(###)

9 9 …but… ICT Signature based IDS Safety Analysis ICT Signature based IDS Safety Analysis ICT World Industrial World

10 10 State Based Approach (1) SCADA System Representation

11 11 State Based Approach (3) Critical State Representation IF ( PLC[ 10.0.0.1 ].HR[1] < 20 AND PLC[ 10.0.0.2 ].HR[2] > 70 ) THEN “The system is in a critical state” 0 100

12 12 State Based Filter Architecture

13 13 Loader: Virtual System Loader

14 14 IF ( PLC[10.0.0.1].HR[1] > 70 OR PLC[10.0.0.1].HR[2] < 20 ) AND ( PLC[10.0.0.2].CO[0] = 0 OR NOT PLC[10.0.0.2].CO[1] = 1 ) THEN ALERT Loader: Critical State Rules Loader PLC[10.0.0.1].HR[1] > 70 OR PLC[10.0.0.1].HR[2] < 20 PLC[10.0.0.2].CO[0] = 0 NOT PLC[10.0.0.2].CO[1] = 1 AND

15 15 SVI: Update System Manager Virtual System 1

16 16 SVI: Real System Synchronizer Virtual System Before Virtual System After Query Field Devices System Update

17 17 Analyzer: Critical State Analyzer Virtual System 1 IF ( PLC[10.0.0.1].CO[1] == 1 ) THEN ALERT

18 18 The Power system SCADA lab Contains: -Idrolab (+150 sensors/actuators) -Control room -3 SCADA systems Hardware and Software: -20 High Performance Servers -150 High End PCs and notebooks -10 Layer 3, 24 ports, gigabit switches -4 High Performance wireless switches -1 Nokia-checkpoint solid state Firewall -4 full network racks -18 km of network cables -300 gigabit network cards -A 100 KW cooling system -A 100 KW UPS system

19 19 JRC SCADA LAB. PLC - RTU Actuators Sensors Actuators Sensors

20 20 Test: Encryption Layer

21 21 Test: Packet Loss Master: sends 100.000 request packets of 260 bytes Slave: responds with 100.000 responses of 260 bytes Requests Sent100.000 Responses Sent100.000 Size Request315 bytes Size Response315 bytes Request Rate1 request sent each 1 ms Rate615,2 kbytes/s Packet Loss0

22 22 Test: Single Signature Rules Analyzer Num RulesAverage Time (on 1000 pkts) 100.0412618 ms 500.1495607 ms 1000.2486327 ms 5001.1152725 ms 10002.1427072 ms 20004.1623632 ms Master: sends 1000 request Slave: responds with 1000 responses Filter: captures the messages and checks if they are licit, according to a rules file which contains n-rules.

23 23 Test: Virtual System Update Num CoilsAverage Time (on 1000 pkts) 10,0012168 ms 500,0030485 ms 1000,0044824 ms 5000,0173109 ms 10000,0334344 ms 20000,0624535 ms Master: sends 1000 request with the command “Read n-coils” Slave: responds with 1000 responses which contains the n-values. Filter: captures the request/response transaction and updates the n-values in the Virtual System.

24 24 Test: Critical State Rules Analyzer (1) Num ConditionsAverage Time (on 1000 pkts) 20,0204746 ms 160,0301169 ms 640,0550301 ms 1280,1206957 ms 2560,2127598 ms 5120,4226185 ms 10241,0706136 ms Master: sends 1000 generic requests Slave: responds with 1000 responses Filter: captures the req/res transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains only one rule with n-conditions.

25 25 Test: Critical State Rules Analyzer (2) Num RulesAverage Time (on 1000 pkts) 100,1123061 ms 500,5153591 ms 1001,0248889 ms 5002,6010271 ms 10005,0175991 ms 20009,9285867 ms Master: sends 1000 generic requests Slave: responds with 1000 responses Filter: captures the request/response transaction then checks if the Virtual System is entering in a Critical State, according to a rules file which contains n-rules.

26 26 Thousands of devices to monitor Hundreds of Subsystems Geographically sparse systems System of Systems Impossible to analyze states on a single level Impossible to analyze states on a single level

27 27 Future Works –Abstract Aggregation –Critical State Prediction –Critical State Prediction based Firewalls –Lightweight Cryptographic mechanisms for SCADA protocols


Download ppt "1 A K/N Attack-Resilient ICT Shield for SCADA Systems, with State Based Attack Detection I. Nai Fovino, A. Carcano, M. Guglielmi, M. Masera, A. Trombetta."

Similar presentations


Ads by Google