Cyber Security Modeling and Assessment of SCADA System Architectures

Cyber Security Modeling and Assessment of SCADA System Architectures Mathias Ekstedt, Associate Professor Teodor Sommestad Hannes Holm Industrial Information and Control Systems KTH Royal Institute of Technology Cyber security managment is difficult! Is my control system secure enough? CISO(etc.) What can I do to improve it most effectively?

The Cyber Security Modeling Language (CySeMoL) functionality Success probabilities of attacks: P(SCADAServer.Access) = 0.14 P(SCADAService.InjectCode) = 0.14 P(SCADAServer.FindKnownService) = 0.04 P(SCADAServer.ConnectTo) = 0.23 Effect of changes: For P(SCADAServer.Access) Install IPS: 0.14=>0.11 Regular security audits: 0.14=>0.12 Defense/attack graphs The attack step makes other attack steps possible The countermeasure reduces the chance of success The attack step disables the countermeasure

A simple defense graph example RDP DB service Machine /OS Network F W The CySeMoL magic Success probabilities of attacks: P(SCADAServer.Access) = 0.14 P(SCADAService.InjectCode) = 0.14 P(SCADAServer.FindKnownService) = 0.04 P(SCADAServer.ConnectTo) = 0.23 Effect of changes: For P(SCADAServer.Access) Install IPS: 0.14=>0.11 Regular security audits: 0.14=>0.12

CySeMoL example in our modeling tool: Model Overview (network architecture) Model of SCADA LAN The usual system architecture stuff: - Networks - Physical components /hosts - Software services Perhaps not in your average system architecture model: - Access control points - Authetication mechanisms - Accounts - Users - Security training process

An attack example USB inserted on HMI OS Take over the PCU (communication with substation) Attack success 24%!!! (maximum)

The attack path extracted There is a chance that: The attacker gains remote access to the HMI through inserted USB stick (step 0 and 1) The HMI has an address on the SCADA network zone (step 2). The attacker connects to the Shared Message Block (SMB) service on the PCU Communication (step 3). Probe to determine what type of product (and version) it is (i.e. that it is SMB and Windows XP) (step 4). Identify a (publically known) vulnerability in the software (step 5). find a functioning high severity exploit (step 6). Run arbitrary code exploit on the PCU Communication OS and open a back door (step 7).! Mitigation: introduce patch managment! 5% No expliot available anymore. Attacker has to develop (or buy) his own.

Mitigation: network-layer deep packet inspection filter for PCU traffic! 17% SMB traffic is now monitored. Decreases chance to successfully run arbitrary code attack on service OS! How to calculate the attack success probabilities..? The simple example RDP DB service Machine /OS Network F W!"#$%&'%$"(%)&'*%$"#$%$"&'%#+#,*% '$(-%,#.%/(%01.(%/2%#%-)13(''&1.#4% -(.($)#51.%$('$()%6&$"%1.(%6((*% 13%-)(-#)#51.'7 811*%#$%-)(9&1:'% )('(#),";% <'*%'(,:)&$2%(=-()$';%

Connect to the service >"(%#+#,*()%,#.%1/$#&.%#,,(''%$1%#%"1'$% #4416(0%$")1:?"%$"(%@)(6#44% AB% AB% AB% AB% AB% AB% AB% AB% >"(%#+#,*()%,#.%1/$#&.%-"2'&,#4%#,,(''%$1%$"(%.($61)*% AB% AB% AB% AB% AB% AB% AB% AB% A($61)*%41?'%#)(%)(9&(6(0%1.%#%)(?:4#)%/#'&'% CDE% CDE% CDE% CDE% AB% AB% AB% AB% E(,:)&$2%#:0&$'%#)(%-()31)F(0%1.%$"(%.($61)*% 1.%#%)(?:4#)%/#'&'% CDE% CDE% AB% AB% CDE% CDE% AB% AB% <0F&.&'$)#$1)'%"#9(%0(@.(0%#%31)F#4%,"#.?(% F#.#?(F(.$%-)1,(''% CDE% AB% CDE% AB% CDE% AB% CDE% AB% 816%('5F#$(%GH%IJ% KL% MM% MN% MO% MN% MH% PK% PP% Q(0&:F%('5F#$(%GHRIJ% NN% NN% NS% NO% NH% NO% HK% HH% T&?"%('5F#$(%GUHIJ% OS% OS% OS% OS% OO% OS% SR% SH% Q(#.% NP% NN% NO% NO% NH% NO% HK% HN% In the defense graph HKI

More probabilities The professional penetration tester has access to the compiled (binary) code Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes The targeted software has been scrutinized before Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No The professional penetration tester has access to the source code Yes Yes Yes Yes No No No No Yes Yes Yes Yes No No No No The software is written in a safe language (e.g. C#, Java) or a safe dialect (e.g. Cyclone) Yes Yes No No Yes Yes No No Yes Yes No No Yes Yes No No The software has been analyzed by static code analyzers and improved based on the result Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No V#2'%.((0(0%&3%4:,*2GH%I%,"#.,(J%!" #" $" $" #" $" %" #" #" $" $" #" #" #" #" $" V#2'%.((0(0%%1.%#9()#?(%GHRI%,"#.,(J% #!"!"!" #" #%" #$" &" '" (" '"!"!" #'" )" ("!" V#2'%.((0(0%&3%:.4:,*2%GUH%I%,"#.,(J% )'" %(" %(" )" *++" %)" *++" %+)" %)" &" #)" *"!''" %)" #*" &" D=-(,$(0%.:F/()%13%0#2'%)(W:&)(0% %'" (" )"!"#!$" #$"#%&" '$" &" +" +"!" ##" &" )" '" The service has high severity vulnerabilities which the attacker has exploits for Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes There is a deep packet inspection firewall in-between the attacker s IP and the service s port No No No No No No No No Yes Yes Yes Yes Yes Yes Yes Yes The attacker can authenticate itself as a legitimate user Yes of the service Yes Yes Yes No No No No Yes Yes Yes Yes No No No No The operating system uses executable space protection Yes (e.g. DEP in Windows) Yes No No Yes Yes No No Yes Yes No No Yes Yes No No The operating system running the service uses address Yes space layout randomization (ASLR) No Yes No Yes No Yes No Yes No Yes No Yes No Yes No 816%('5F#$(%GH%IJ% ##" #'" #+" #)" '" '" '" +" )" )" +" #'" #" '" (" (" Q(0&:F%('5F#$(%GHRIJ% '+" ((" +$" )+" %#" %+"!$" '#"!("!*" %)" (&" #$" #+" %$" %(" T&?"%('5F#$(%GUHIJ% **" *&" *&" &'" '*" +(" (!" *(" )&" )&" (*" &'" +#" ($" (%" (&" Q(#.% '*" +&" +%" ()" %'" %)"!!" '!" '#" '#"!#" (+" #+" %$" %'"!%" In the defense graph KRRI MNI KRRI HKI KRRI

The full scenario 1.00*0.24*1.00*0.51*1.00=0.1224=12.24% chance of success KRRI MNI KRRI HKI KRRI What CySeMoL can do for you This is (roughly) what my future system alternatives look like Scenario 3 Scenario 2 Scenario 1 Probably, I can t say for sure, but it seems as if scenario 2 is the most secure alternative

Thank you for listening! CySeMoL scope

CySeMoL full version including attacks and countermeasures Data sources Parameters, relationships and dependency-structure: - Literature, e.g. standards or scientific articles. - Review and prioritization by external experts (~10). The probabilities: - Logical necessities, e.g.: if the firewalls allow you to connect to A from B and you have access to B, then you can connect to A. - Others scientific studies, e.g. time-to-compromise for authentication codes and patch level vs patching procedures. - Experts judgments, Own surveys to researchers and security professionals.

Data from experts Review of variables to include in the scenarios. + Probabilities on scenarios: - Finding unknown entry-points: 4 experienced penetration testers. - Finding unknown vulnerabilities: 18 vulnerability researchers. - Arbitrary code exploits: 22 penetration testers and security researchers. - Intrusion detection: 165 IDS researchers. - DoS: 50 researchers on DoS attacks. >"(%#+#,*()%,#.%1/$#&.%#,,(''%$1%#%"1'$%#4416(0%$")1:?"%$"(%@)(6#44% AB% AB% AB% AB% AB% AB% AB% AB% >"(%#+#,*()%,#.%1/$#&.%-"2'&,#4%#,,(''%$1%$"(%.($61)*% AB% AB% AB% AB% AB% AB% AB% AB% A($61)*%41?'%#)(%)(9&(6(0%1.%#%)(?:4#)%/#'&'% CDE% CDE% CDE% CDE% AB% AB% AB% AB% E(,:)&$2%#:0&$'%#)(%-()31)F(0%1.%$"(%.($61)*%1.%#%)(?:4#)%/#'&'% CDE% CDE% AB% AB% CDE% CDE% AB% AB% <0F&.&'$)#$1)'%"#9(%0(@.(0%#%31)F#4%,"#.?(%F#.#?(F(.$%-)1,(''% CDE% AB% CDE% AB% CDE% AB% CDE% AB% 816%('5F#$(%GH%IJ% KL% MM% MN% MO% MN% MH% PK% PP% Q(0&:F%('5F#$(%GHRIJ% HK% NN% NN% NS% NO% NH% NO% HH% T&?"%('5F#$(%GUHIJ% SR% OS% OS% OS% OS% OO% OS% SH% Q(#.% NP% NN% NO% NO% NH% NO% HK% HN% Cooke s classical method for weighting experts Find the true expert not the average of experts in general. (It is enough if one person knows the truth, if we can only identify that person ) Ask the expert a set of test questions you know the answer of. Have the experts specify quintiles (0.05, 0.50, 0.95) for the test questions. - there is a 5/50/95 % chance that the value is below X Reward them for being: - calibrated/correct - informative Weight their answers on the real questions based on test question performance >"(%#+#,*()%,#.%1/$#&.%#,,(''%$1%#%"1'$%#4416(0%$")1:?"%$"(%@)(6#44% AB% AB% AB% AB% AB% AB% AB% AB% >"(%#+#,*()%,#.%1/$#&.%-"2'&,#4%#,,(''%$1%$"(%.($61)*% AB% AB% AB% AB% AB% AB% AB% AB% A($61)*%41?'%#)(%)(9&(6(0%1.%#%)(?:4#)%/#'&'% CDE% CDE% CDE% CDE% AB% AB% AB% AB% E(,:)&$2%#:0&$'%#)(%-()31)F(0%1.%$"(%.($61)*%1.%#%)(?:4#)%/#'&'% CDE% CDE% AB% AB% CDE% CDE% AB% AB% <0F&.&'$)#$1)'%"#9(%0(@.(0%#%31)F#4%,"#.?(%F#.#?(F(.$%-)1,(''% CDE% AB% CDE% AB% CDE% AB% CDE% AB% 816%('5F#$(%GH%IJ% KL% MM% MN% MO% MN% MH% PK% PP% Q(0&:F%('5F#$(%GHRIJ% HK% NN% NN% NS% NO% NH% NO% HH% T&?"%('5F#$(%GUHIJ% SR% OS% OS% OS% OS% OO% OS% SH% Q(#.% NP% NN% NO% NO% NH% NO% HK% HN%

The concepts included a trade off Practically we can t, and don t want to, have everything in the model The data collection cost for users Data collection cost for us (the theory s complexity) Variables importance to security Variables tendency to vary in practice What CySeMoL can do for you This is (roughly) what my future system alternatives look like Scenario 3 Scenario 2 Scenario 1 Probably, I can t say for sure, but it seems as if scenario 2 is the most secure alternative

Questions? Limitations with CySeMoL It is incomplete, its scope excludes: - The losses an attack would lead to - Countermeasures that impact losses (e.g. backups) - Threat agents and their mindset (pen tester w. 1 week prep.) - Focus on availability and integrity (not confidentiality) - Little focus on social engineering attacks - Little focus on physical attacks and physical defenses It depends to quite a large degree on domain experts judgment No details much uncertainty - Model is incomplete and lacks depth - knowledge is simply missing A single architecture includes many potential attack paths - much analysis work to do for the decision maker Better tool support is needed