PREEMPTIVE Preventive methodology and tools to protect utilities http://preemptive.eu/ Ignasi Cairó 15 October 2015 Brussels Main goal The main goal of PREEMPTIVE is to provide an innovative solution for enhancing existing procedures and methods and conceiving tools to prevent against cyber attacks, that target utility companies relying heavily on industrial networks and automated control systems. PREEMPTIVE addresses, in particular, the prevention of cyber attacks against hardware and software systems such as DCS, SCADA, PLC, networked electronic sensing, and monitoring and diagnostic systems used by the utilities networks. 1
Innovative Breakthoughs The strong innovation proposed in PREEMPTIVE is to face the cyber attacks adopting a dual approach techniques that take into account industrial process behaviour (IPB) and communication & software related threats (CATh). (Industrial) process misbehaviours take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the industrial process. 1. To enhance existing methodological security and prevention frameworks with the aim of harmonizing Risk and Vulnerability Assessment methods, standard policies, procedures and applicable regulations or recommendations to prevent cyber attacks. The PREEMPTIVE methodology proposed will take into account the envisaged innovative technological solutions for preventing and for detecting zero day attacks. 2. To define guidelines for improving Critical Infrastructures (CIs) surveillance. 3. To design and develop prevention and detection tools complaint to the dual approach that takes into account both the industrial process misbehavior analysis (physic domain) and the communication and software anomalies (cyber domain): 4. Industrial process misbehavior detection. 5. Communication & software related threats prevention and detection. 3 Industrial networks (intrussion) 2
Electrical Power Gird Control center Model & Simulation Common in Electricity Water & Gas 5 Industrial networks vulnerabilities Industrial networks are subject to several types of vulnerabilities. The most common includes: Misconfiguration of software and devices Weak Passwords used Devices communications not encrypted/authenticated System not patched frequently 0- days vulnerabilities Subnetwork not properly isolated/segmented and monitored Commons Operating System used, inheriting their weaknesses Ad-hoc created malware We will use these vulnerabilities to simulate cyber attacks against an industrial network. 6 3
Tools/Techniques Kali Linux Performing penetration test Nmap Network scanning Large networks/single spots In this way we can discover: what hosts are active on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters / firewalls are in use. Other tools relating PLCs, detect MODBUS / TCP ports, etc. Tools/Techniques Other tools that we can use to acquire information are Wireshark ( network sniffer) and Nessus / OpenVas (Vulnerability Scanner). All the information acquired will be used to attack the network with the following tools: Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible and allow to easily gain unauthorized access to a system remotely using brute force or dictionary attack. SQLmap is one of the most effective penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. Metasploit Framework is a powerful tool that helps to simplify the exploitation of a remote target machine. 8 4
Tools/Techniques 1. Simulate a man-in-the-middle attack where we can inject commands to an IED 2. Modify the values of certain values transmitted from/to an RTU to manipulate such values (the variables we should manipulate have to be derived from the process we are simulating) 3. Use a fuzzer to send malformed packet to fields device and see how they react (e.g. if they fail) 4. Use a malware that can be stored on an USB stick and it can infect a SCADA server to send strange commands to field device (e.g. opening a switch) Attacks againts web servier 5
Attacks against internal database Attacks against SCADA server 6
Attacks against PLC/IEDs Attack simulations 14 7
Attacks Strategies Attacking the network from the outside using spear phishing / SQL-injection / brute force / other techniques to penetrate. Then we can use just a simple backdoor to maintain the access to the infected machines [@elisa]. Attacking the network from the inside infected usb-stick[@elisa] Attacking the network obtaining physical access to the RTU e.g. attack scenario (proposed by IREC) inside slide 6 15 Secondary Controller (AGC) SG Transformer Voltage inside operating limits PV Attacking the network obtaining physical access to the RTU CB Load WT Voltage inside operating limits 16 16 8
Attack at 400-800sec Frequency stabilizes to higher setpoint but inside the tripping limits of breakers System works insufficiently more energy lost balance is restored Frequency (Normal Case) Mech&El. Power, Torque (Normal Case) 0.0707 Turbine power Electrical power Frequency (Attack) Frequency stabilizes to higher setpoint but inside the tripping limits of breakers Mech&El. Power, Torque (Attack) 0.0712 17 Interfacing Simulation- Meas. IREC DSO Forecasts Gateway PC IREC DigSilent To LOG Programming attack Raw data (*.txt) Bus (V, P, Q, f, Ph) Without DER 1month With DER 1 day 1 SM LOG parser + Modbus TCP/IP server Matlab 4 3 Modbus traffic Maliciuos attack IREC EMS (SCADA) (with forecasts on txt) Injection Maliciuos VITRO attack 6 5 XML traffic Microgrid (data) concentrator Injection Maliciuos attack 7 8 Modbus traffic Local Controller IREC IREC Metering IEDs 18 9
Detection methodologies 19 Anomaly detection The first step for the implementation of a anomaly detection system based on negative selection (an Artificial Immune System) is the characterization of the normality. Special common features of Critical Infrastructures (CI): Time series Periodicity (day, week, year pattern) Few consumption patterns Topology changes (discrete changes) Normality in this case is strongly dependent on WHO and WHEN cross checking subspaces (season, type of day) vertical, horizontal, similar comparison. Gathering if labeling is available (type and/or point of measurement) 20 10
Definition of normality In essence, normality is defined upon the concept of similarity Similarity is quantified through suitable metrics. Comparison is made among elements that have shown to be similar or should be similar: must be made in a subset. Different criteria to define subset allows to implement independent crossed detections: Instant snapshot of the whole (and/or subsetset) respect to similar instants Each detector, respect to itself in similar moments (for instance, daily pattern) Among similar detector (for instance, domestic consumption, industrial consumption). 21 Definition of normality Clustering ( similar measurement points ) 22 11
Applied examples IREC I: Electrical data ~20 min Time resolution: secondly 300 RTU s Simulated, one set with anomaly PCA No periodicity Continuity in reduced space V-detector train and test (Zhou Ji, Dipankar Dasgupta) t Horizontal (each point represents one instant) 23 NIDS A Network Intrusion Detection System (NIDS) identifies attacks by monitoring the traffic over a network 10.10.0.0/16 network sniffer 10.10.0.255 10.20.0.255 10.20.0.254 10.20.0.0/16 network sniffer 10.40.0.0/1 6 10.40.0.255 10.10.0.1 10.40.0.254 RTU 10.30.0.255 10.10.0.2 PLC 10.30.0.0/16 WP7 General Meeting- Rome 16-Sep-2015 24 10.10.0.3 24 12
Indicators of compromise (IoC) Some examples: Modbus provides (not commonly used) diagnostic functions that are able to reset a device registry IOC: monitor the presence of function code 08 to check for the presence of an attacker trying to change a device behavior Goose has sequential value for the field StNum IOC: monitor non-sequential value for StNum field that might indicate the presence of a spoofing attack DNP3 provides the DFC flag that, if set to 1, indicates a device is busy, hence the master will not communicate with it. IOC: monitor high frequency of DFC=1 which might indicate the presence of a DOS attack 25 Project outcome 26 13
PREEMPTIVE software prototype Detection and prediction tool based on a dual approach : low level direct detection and process misbehavior detection Correlation of events/alarm coming from network, host and process detection tool to detect and prevent cyber attacks Laboratory real/virtual environment based on electricity. Availabilty of real Scada data on operational plant Knowledge of operational process. 27 Thank You for Your attention! Ignasi Cairó Principal Investigator (IREC) icairo@irec.cat 28 14