PREEMPTIVE. Preventive methodology and tools to protect utilities http://preemptive.eu/ Main goal



Similar documents
INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Innovative Defense Strategies for Securing SCADA & Control Systems

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

June 2014 WMLUG Meeting Kali Linux

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

CS5008: Internet Computing

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Vendor System Vulnerability Testing Test Plan

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

An Introduction to Network Vulnerability Testing

Federated Network Security Administration Framework

Define risk and risk management Describe the components of risk management List and describe vulnerability scanning tools Define penetration testing

Vulnerability Assessment and Penetration Testing

CYBERTRON NETWORK SOLUTIONS

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Exam 1 - CSIS 3755 Information Assurance

CRYPTUS DIPLOMA IN IT SECURITY

EC-Council Certified Security Analyst (ECSA)

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Chapter 9 Firewalls and Intrusion Prevention Systems

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Protecting Critical Infrastructure

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Executive Summary Primer iv

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

DHS ICSJWG Fall Conference Maintaining Necessary Information Paths Over Unidirectional Gateways

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Penetration Testing with Kali Linux

Ethical Hacking Course Layout

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Sample Report. Security Test Plan. Prepared by Security Innovation

Security Mgt. Tools and Subsystems

IDS / IPS. James E. Thiel S.W.A.T.

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs


CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

13 Ways Through A Firewall

Certified Ethical Hacker (CEH)

Vulnerability Assessment and Penetration Testing

Security Issues with Integrated Smart Buildings

Streamlining Web and Security

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Security Testing Summary of Next-Generation Enterprise VoIP Solution: Unify Inc. OpenScape SBC V8

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Cisco Advanced Services for Network Security

Ovation Security Center Data Sheet

Networks and Security Lab. Network Forensics

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Security Event Management. February 7, 2007 (Revision 5)

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

The Queen s Horses, London, May Application Security From Jerry Scott

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Information Technology Career Cluster Advanced Cybersecurity Course Number:

Primer Control System Cyber Security Framework and Technical Metrics

Distributed Systems Security

The Open Cyber Challenge Platform *

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

SETTING UP AND USING A CYBER SECURITY LAB FOR EDUCATION PURPOSES *

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Client logo placeholder XXX REPORT. Page 1 of 37

CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A.

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

Network Incident Report

Locking down a Hitachi ID Suite server

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Virtual Learning Tools in Cyber Security Education

New Era in Cyber Security. Technology Development

Protecting Your Organisation from Targeted Cyber Intrusion

Understanding Security Testing

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Cyber Security Metrics Dashboards & Analytics

Computer Security: Principles and Practice

EC-Council Certified Security Analyst / License Penetration Tester (ECSA/LPT) v4.0 Bootcamp

Pentests more than just using the proper tools

Pentests more than just using the proper tools

Missing the Obvious: Network Security Monitoring for ICS

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

Verve Security Center

Reference Architecture: Enterprise Security For The Cloud

A Systems Engineering Approach to Developing Cyber Security Professionals

AN OVERVIEW OF VULNERABILITY SCANNERS

Security Testing in Critical Systems

Transcription:

PREEMPTIVE Preventive methodology and tools to protect utilities http://preemptive.eu/ Ignasi Cairó 15 October 2015 Brussels Main goal The main goal of PREEMPTIVE is to provide an innovative solution for enhancing existing procedures and methods and conceiving tools to prevent against cyber attacks, that target utility companies relying heavily on industrial networks and automated control systems. PREEMPTIVE addresses, in particular, the prevention of cyber attacks against hardware and software systems such as DCS, SCADA, PLC, networked electronic sensing, and monitoring and diagnostic systems used by the utilities networks. 1

Innovative Breakthoughs The strong innovation proposed in PREEMPTIVE is to face the cyber attacks adopting a dual approach techniques that take into account industrial process behaviour (IPB) and communication & software related threats (CATh). (Industrial) process misbehaviours take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the industrial process. 1. To enhance existing methodological security and prevention frameworks with the aim of harmonizing Risk and Vulnerability Assessment methods, standard policies, procedures and applicable regulations or recommendations to prevent cyber attacks. The PREEMPTIVE methodology proposed will take into account the envisaged innovative technological solutions for preventing and for detecting zero day attacks. 2. To define guidelines for improving Critical Infrastructures (CIs) surveillance. 3. To design and develop prevention and detection tools complaint to the dual approach that takes into account both the industrial process misbehavior analysis (physic domain) and the communication and software anomalies (cyber domain): 4. Industrial process misbehavior detection. 5. Communication & software related threats prevention and detection. 3 Industrial networks (intrussion) 2

Electrical Power Gird Control center Model & Simulation Common in Electricity Water & Gas 5 Industrial networks vulnerabilities Industrial networks are subject to several types of vulnerabilities. The most common includes: Misconfiguration of software and devices Weak Passwords used Devices communications not encrypted/authenticated System not patched frequently 0- days vulnerabilities Subnetwork not properly isolated/segmented and monitored Commons Operating System used, inheriting their weaknesses Ad-hoc created malware We will use these vulnerabilities to simulate cyber attacks against an industrial network. 6 3

Tools/Techniques Kali Linux Performing penetration test Nmap Network scanning Large networks/single spots In this way we can discover: what hosts are active on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters / firewalls are in use. Other tools relating PLCs, detect MODBUS / TCP ports, etc. Tools/Techniques Other tools that we can use to acquire information are Wireshark ( network sniffer) and Nessus / OpenVas (Vulnerability Scanner). All the information acquired will be used to attack the network with the following tools: Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible and allow to easily gain unauthorized access to a system remotely using brute force or dictionary attack. SQLmap is one of the most effective penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. Metasploit Framework is a powerful tool that helps to simplify the exploitation of a remote target machine. 8 4

Tools/Techniques 1. Simulate a man-in-the-middle attack where we can inject commands to an IED 2. Modify the values of certain values transmitted from/to an RTU to manipulate such values (the variables we should manipulate have to be derived from the process we are simulating) 3. Use a fuzzer to send malformed packet to fields device and see how they react (e.g. if they fail) 4. Use a malware that can be stored on an USB stick and it can infect a SCADA server to send strange commands to field device (e.g. opening a switch) Attacks againts web servier 5

Attacks against internal database Attacks against SCADA server 6

Attacks against PLC/IEDs Attack simulations 14 7

Attacks Strategies Attacking the network from the outside using spear phishing / SQL-injection / brute force / other techniques to penetrate. Then we can use just a simple backdoor to maintain the access to the infected machines [@elisa]. Attacking the network from the inside infected usb-stick[@elisa] Attacking the network obtaining physical access to the RTU e.g. attack scenario (proposed by IREC) inside slide 6 15 Secondary Controller (AGC) SG Transformer Voltage inside operating limits PV Attacking the network obtaining physical access to the RTU CB Load WT Voltage inside operating limits 16 16 8

Attack at 400-800sec Frequency stabilizes to higher setpoint but inside the tripping limits of breakers System works insufficiently more energy lost balance is restored Frequency (Normal Case) Mech&El. Power, Torque (Normal Case) 0.0707 Turbine power Electrical power Frequency (Attack) Frequency stabilizes to higher setpoint but inside the tripping limits of breakers Mech&El. Power, Torque (Attack) 0.0712 17 Interfacing Simulation- Meas. IREC DSO Forecasts Gateway PC IREC DigSilent To LOG Programming attack Raw data (*.txt) Bus (V, P, Q, f, Ph) Without DER 1month With DER 1 day 1 SM LOG parser + Modbus TCP/IP server Matlab 4 3 Modbus traffic Maliciuos attack IREC EMS (SCADA) (with forecasts on txt) Injection Maliciuos VITRO attack 6 5 XML traffic Microgrid (data) concentrator Injection Maliciuos attack 7 8 Modbus traffic Local Controller IREC IREC Metering IEDs 18 9

Detection methodologies 19 Anomaly detection The first step for the implementation of a anomaly detection system based on negative selection (an Artificial Immune System) is the characterization of the normality. Special common features of Critical Infrastructures (CI): Time series Periodicity (day, week, year pattern) Few consumption patterns Topology changes (discrete changes) Normality in this case is strongly dependent on WHO and WHEN cross checking subspaces (season, type of day) vertical, horizontal, similar comparison. Gathering if labeling is available (type and/or point of measurement) 20 10

Definition of normality In essence, normality is defined upon the concept of similarity Similarity is quantified through suitable metrics. Comparison is made among elements that have shown to be similar or should be similar: must be made in a subset. Different criteria to define subset allows to implement independent crossed detections: Instant snapshot of the whole (and/or subsetset) respect to similar instants Each detector, respect to itself in similar moments (for instance, daily pattern) Among similar detector (for instance, domestic consumption, industrial consumption). 21 Definition of normality Clustering ( similar measurement points ) 22 11

Applied examples IREC I: Electrical data ~20 min Time resolution: secondly 300 RTU s Simulated, one set with anomaly PCA No periodicity Continuity in reduced space V-detector train and test (Zhou Ji, Dipankar Dasgupta) t Horizontal (each point represents one instant) 23 NIDS A Network Intrusion Detection System (NIDS) identifies attacks by monitoring the traffic over a network 10.10.0.0/16 network sniffer 10.10.0.255 10.20.0.255 10.20.0.254 10.20.0.0/16 network sniffer 10.40.0.0/1 6 10.40.0.255 10.10.0.1 10.40.0.254 RTU 10.30.0.255 10.10.0.2 PLC 10.30.0.0/16 WP7 General Meeting- Rome 16-Sep-2015 24 10.10.0.3 24 12

Indicators of compromise (IoC) Some examples: Modbus provides (not commonly used) diagnostic functions that are able to reset a device registry IOC: monitor the presence of function code 08 to check for the presence of an attacker trying to change a device behavior Goose has sequential value for the field StNum IOC: monitor non-sequential value for StNum field that might indicate the presence of a spoofing attack DNP3 provides the DFC flag that, if set to 1, indicates a device is busy, hence the master will not communicate with it. IOC: monitor high frequency of DFC=1 which might indicate the presence of a DOS attack 25 Project outcome 26 13

PREEMPTIVE software prototype Detection and prediction tool based on a dual approach : low level direct detection and process misbehavior detection Correlation of events/alarm coming from network, host and process detection tool to detect and prevent cyber attacks Laboratory real/virtual environment based on electricity. Availabilty of real Scada data on operational plant Knowledge of operational process. 27 Thank You for Your attention! Ignasi Cairó Principal Investigator (IREC) icairo@irec.cat 28 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information