On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

CIBSI 2013 Panama City, Panama, October 30 th, 2013 On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks Paulo Simões, Tiago Cruz, Jorge Gomes, Edmundo Monteiro psimoes@dei.uc.pt CISUC - DEI, University of Coimbra, Portugal

Outline The problem of detecting cyber attacks in Industrial Control Networks mainstream ICT solutions vs. Industrial Control Networks Overview of the CockpitCI Project The CockpitCI Detection Layer The SCADA honeypot as one of the probes of the field network Intrusion Detection System Target hardware platform & support for virtualization Components of the Honeypot Lessons learned 2

Industrial Control Systems (ICS) and SCADA Initially, Industrial Control Systems were isolated by nature and limited to the process network, resulting in security by obscurity and isolation. Proprietary protocols with undisclosed documentation (creating a false sense of security) Only manufacturers and attackers knew of failures and vulnerabilities (with both parts having no interest in their disclosure) Meanwhile, ICS evolved to open architectures and standard technologies, highly interconnected with other corporate networks and even the Internet. This move, together with the use of mainstream ICT technologies and the increasing adoption of open, documented protocols, exposed serious weaknesses in SCADA architectures. 3

ICS vs. mainstream ICT As a result of such transformations, SCADA architectures are becoming increasingly similar to general ICT systems: Widely available, low-cost Internet Protocol (IP) devices are replacing proprietary solutions, which increases the possibility of cyber security vulnerabilities and incidents. Industrial control systems are adopting generic ICT solutions to promote corporate connectivity and remote access capabilities, and are being designed and implemented using industry standard computers, operating systems and network protocols. While this integration brought new capabilities (meanwhile developed by ICT) it also provided significantly less isolation from the outside world for the industrial control systems. 4

ICS vs. mainstream ICT: one size fits all? Protection measures of standard ICT security frameworks (firewalls, IDS, other) may be adapted for the process control and SCADA environments, BUT this introduces some security risks on its own, since some assumptions regarding ICT networks will not hold in ICS (availability comes first!) DMZ! Process network DB Server TCP SYN Flood Corporate network Master Slave Slave PC PC PC 5

ICS vs. mainstream ICT: one size fits all? Probably NOT: ICS and ICT systems do have different priorities ICT 1- Confidentiality 2- Integrity 3- Availability ICS 1- Availability 2- Integrity 3- Confidentiality (adapted from ANSI/ISA-99.00.01-2007 - Security for Industrial Automation and Control Systems - Part 1: Terminology, Concepts, and Models (2007)) This calls for a domain-specific approach to cyber threat detection in ICS systems, designed from the ground up to address its specific characteristics. This kind of SCADA-oriented cyber threat awareness constitutes one of the core contributions of the CockpitCI project. 6

Project CockpitCI (Jan/2012-Dec/2014) Aims to develop a multidisciplinary approach to cyber security of Industrial Control Systems, increasing global awareness and enhancing the local intelligence and resilience of the critical infrastructure under attack (even in the case of successful intrusion in parts of the system). Consortium Energy operators: Israel Electric Corporation, Lyse Norway, Transelectrica Romania Industry: Selex Gruppo Finmeccanica (it); itrust (lu) Universities: Coimbra (pt); La Sapienza (it); Roma 3 (it); Surrey (uk) Research institutes: ENEA (it); Henri-Tudor (lu); Multitel (be) Use cases Electricity distribution networks (but applicable to other SCADA systems) Website http://www.cockpitci.eu 7

CockpitCI Operation Global Awareness Perimeter IDS Inter-CI Communication network Secure Mediation Network Information exchange with other (interdependent) Critical Infrastructures Integrated Risk Prediction Tool Detection Agents RTU Smart Policies SCADA Control Center RTU 1 RTU n 8 Not directly related with this paper Cyber detection components CI s internal legacy components Communication flows Local Intelligence

9

The CockpitCI Cyber-analysis and detection layer The CockpitCI project includes a cyber analysis and detection layer that must work as a soft real-time distributed monitoring system and Perimeter Intrusion Detection System (Perimeter IDS). CockpitCI Risk Prediction Tool Perimeter IDS External Sources (topology, policies, inventories, etc.) Interfaces It must be able to develop and deploy detection agents to monitor the potential cyber threats according to the types of networks (SCADA, IP ) and corresponding devices. Detection Agents RTU RTU Detection Agents RTU Detection Agents (net. probes, honeypots...) Field Adaptors Legacy Sources RTU: Remote Terminal Unit (SCADA) 10

High-level generic probing architecture: Aggregates several probing and monitoring points, in 3 security zones: ICT Network Operations Network Field Network IT Workstation Master Station 1 Shadow RTU Mon. Port/ Bridged IT Workstation Mon. Port/ Bridged Master Station N... HMI Client Mon. Port/ Bridged... RTU 1 Shadow RTU RTU N Sensors/Actuators IT Network HMI Client Operations Network HoneyPot Field Network Fieldbus Honeypot 11

Network Intrusion Detection Systems () On the edge of each zone, monitoring data flow between adjacent zones and external entities. Specialized IDS and probes are required for Field Network. IT Workstation Master Station 1 Shadow RTU Mon. Port/ Bridged IT Workstation Mon. Port/ Bridged Master Station N... HMI Client Mon. Port/ Bridged... RTU 1 Shadow RTU RTU N Sensors/Actuators IT Network HMI Client Operations Network HoneyPot Field Network Fieldbus Honeypot 12

Honeypots as one of the probes of the Field Network IDS A device on the field network able to behave like a PLC or RTU. It can use SCADA protocol emulators, with the sole purpose of emulating a vulnerable device used as a decoy to attract intrusion attempts. IT Workstation Master Station 1 Shadow RTU Mon. Port/ Bridged IT Workstation Mon. Port/ Bridged Master Station N... HMI Client Mon. Port/ Bridged... RTU 1 Shadow RTU RTU N Sensors/Actuators IT Network HMI Client Operations Network HoneyPot Field Network Fieldbus Honeypot 13

Probably a not-so-new idea SCADA Honeynet Project (2004): Research project from Cisco, simulates several levels of the system stack, protocol, application, hardware Digital Bond s SCADA Honeynet (2006): Simulates a SCADA Programmable Logic Controller (PLC) CockpitCI Honeypot: Suitable for honeypot virtualization or low cost hardware appliances Populate your Field Network with honeypots Modular architecture, allowing for the addition of other SCADA protocols Enhanced event-processing functionalities Interfaces for remote management and event reporting 14

Target Hardware Platform: Intel x86 Hardware Architecture Easier to integrate existing software components (operating systems, SCADA emulators, SNMP stacks, security tools...) Easier to port to virtualized Honeypots Small hardware footprint & low cost 50 to 200 Euro per unit, depending on casing and selected hardware platform Adequate performance Well above the requirements of a SCADA honeypot Respectful reliability (based on preliminary and ongoing tests) Much more stable and reliable than initially expected (after some tweaking!) 15

Virtualized Honeypot: Standard x86 virtual machine compatible with most virtualization platforms uses a small footprint (CPU, RAM ) physically located at the datacentre, logically located in the field network possible to apply smart redirection of suspicious traffic Physical or hardware Honeypot? Can the attacker discover the physical location of the honeypot? hacking of the field network network physical access to some privileged point of the field network... 16

Honeypot Architecture: Key modules: Honeypot Front-End interface Event Monitor Firewall Management Field Network Firewall Modbus API Port Scan Event Correlator Event Tx. Event Assembly Security Mgmt. Platform Watchdog FTPD Redutor SNMPD Filter Honeypot Frontend Interface Event Monitor Modbus Honeypot 17

Field Network Firewall Event Correlator Security Mgmt. Platform Modbus API Port Scan FTPD Event Tx. Event Assembly Redutor Watchdog Honeypot - Front-End Interface Provides the entry-points for the attacker Modbus API emulator; accepts Modbus commands and behaves like a real PLC, providing the expected protocol functionality (registers, operations, etc.). FTP service; such as the services found on many commercial PLCs. SNMP management agent; replicates the interface and functionalities found on commercial PLCs. Port Scan detection module; detects any probing activity in the remaining TCP/IP service ports. Easy addition of other services (or other SCADA protocols) Mix of emulated services with real services Each service may be configured to mimic specific behaviours SNMPD Honeypot Frontend Interface Modbus Honeypot Filter Event Monitor 18

Field Network Firewall Event Correlator Security Mgmt. Platform Modbus API Port Scan FTPD Event Tx. Event Assembly Redutor Watchdog Event Monitor Processes events generated by the front-end: Events will pass following sequence: Filter (1); Event reduction and aggregation (2); Event Assembly (3); Event Transmission (4). The Filter and Event reduction and aggregation modules pre-process security events, for instance discarding specific events and/or grouping related events, thus optimizing system resources (e.g., processing and network) and increasing scalability in larger ICS scenarios. The Event Assembly module creates the security event messages structured according to IDMEF, an open data format designed for exchanging information about security events. The Event Tx module transmits the generated events to the centralized event correlator, using a secure channel. SNMPD Honeypot Frontend Interface Modbus Honeypot Filter Event Monitor 19

Field Network Firewall Event Correlator Security Mgmt. Platform Modbus API Port Scan FTPD Event Tx. Event Assembly Redutor Watchdog Firewall Prevents the attacker from gaining access and turning the honeypot into an attack vector. Modbus Honeypot Allows all incoming connections to the honeypot, but denies connections from the honeypot to the remaining ICS nodes (opposite of a typical firewall configuration!). Connections from the honeypot to the attacker are the only outgoing connections that are allowed. Management Honeypot Frontend Interface Watchdog module for remote management (in-band or out-band, according to the circumstances), allowing to modify the honeypot configurations from an authorized device. The watchdog module also allows some actions to be remotely performed, such as restarting a module. SNMPD Filter Event Monitor 20

Back to the Forest 21

Lessons Learned: It is possible to develop Field Network Honeypots for SCADA systems, based on inexpensive commercial, of-the-shelf hardware and with strong integration of already existing software components. These field network honeypots constitute an important probe for Intrusion Detection Systems for SCADA field networks. It is simple to integrate these field networks into a larger, distributed detection layer, achieving: local event processing (improve scalability, increase the granularity of event correlation) standardized mechanisms to report processed events to higher layers and a higher-level centralized event processing platform for aggregation of events from multiple sources (e.g. several honeypots, other types of probes). 22

Muchas gracias por su atención 23