Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Live ICS Attack Demonstration
Cyber-intrusion Auto-response and
Policy Management System (CAPMS)
David Lawrence, Duke Energy Steve Lusk, ViaSat Tim Collins, ViaSat
Nick Saunders, ViaSat
2
Today’s Live Demo/Presentation
• Cyber-intrusion Auto-response and Policy Management System (CAPMS) Overview
– Why do we need a system that detects and responds to Cyber Attacks?
• Duke Energy – CAPMS Utility Partner
– Overview of Duke Energy’s Grid Of Things and the Open Field Message Bus
• CAPMS Demonstration
– Nick and Tim will demonstrate how an intruder could attack a typical utility network using DNP3 and how the network might respond
• Q&A
VIASAT PROPRIETARY 3
4
2.7 million people impacted
2011 Southwest blackout
• One Arizona utility worker triggered a chain of events which led to the outage
• A series of about 20 events occurred within 11 minutes of the Arizona transmission line failure
• According to SDG&E they learned of these outages about 30 seconds before they occurred but could not respond in time
• Several other outages occurred – one of which at the San Onofre Nuclear Generation Station, which was taken offline as a safety measure
5
2003 Northeast blackout
55 million people Impacted
An Alarm System bug at a Control Room in Ohio prevented an alert from
being displayed
6
CAPMS Overview Cyber-intrusion Auto-response and Policy Management System
• Although not a Cyber Attack, these large scale outages demonstrate the vulnerability of the grid
• A strategic Cyber Attack has the potential to cause major outages in multiple locations
• CAPMS is a DOE Grant to research methods of detecting/ reporting Cyber Attacks and to demonstrate possible responses
• Goal is to define a Policy based system that provides operators with more tools to defend, detect, and respond to Cyber Attacks
• Based on ViaSat’s Trusted Network Platform (TNP) architecture, CAPMS provides additional features to detect/respond to more complex attacks
• Algorithms, Policies and Policy engines will be used to help detect and isolate active attacks
• Depending upon the attack and based on Policy, responses may be automated, semi-automated, or manual
• DOE demonstration is planned for Sept 2015 … today’s demonstration is a preliminary look of the work thus far
Duke Energy Emerging Technology Office
Why we need CAPMS? Autonomous Distributed Functionality with the
Open Field Message Bus (OpenFMB)
David Lawrence, Duke Energy Dwayne Bradley, Duke Energy
2/23/2015 page 7
Grid is Transforming to a Hybrid, Central and Decentralized Control and Generation Model
Currently, large central power plants supply their immediate surroundings. In the future, more small, decentralized wind and solar generators will take up greater load. And
distributed autonomous control functions will be prevalent.
Source: Science Technology Daily
2/23/2015 page 8
Duke’s Electric Grid – Grid of Things (GoT)
Sub
stat
ion
• Solar PV • Energy Storage • Dist. Mgmt System • PMU (6) • Weather stations (7)
Sh
erri
ll’s
Ford
, Ran
kin
, M
cAlp
ine
Su
bst
atio
ns
Cu
sto
me
r P
rem
ise
~60
ho
mes
ser
ved
by
M
cAlp
ine
circ
uit
s • Solar PV • Home Energy Manager • PEV • Charging Stations • Smart Appliances • Demand Response • In-home load monitoring
Dis
trib
uti
on
C
ircu
it
6 M
cAlp
ine
circ
uit
s
• Line Sensors (200+) • Solar PV • CES, HES Energy Storage • Comm. Nodes (3,000) • Intelligent Switches • DERMS/DMS • AMI metering (14,000)
2/23/2015 page 9
What’s missing? Field device interoperability, autonomous distributed functionality, edge analytics, and distributed security.
Open Field Message Bus: The Grid of Things Enabler
Field Devices cannot communicate with each other outside of Vendor systems
CIM DDS
Field devices connected with the Open Field Message Bus
MDM
DMS
OMS
Death to Siloes! 2/23/2015 page 10
Smart Meter
Capacitor Bank
Line Sensor
Intelligent Switch
X Street Light
Customer Premise
Distributed Energy Resources
Transformer
Legacy Gateway
OFMB + DApps +
TNP/ CAPMS
Corporate Private
Network
DMS
Head End
SCADA
Higher Tier Central Office
(Utility Datacenter)
Middle Tier Nodes
(e.g. substation)
Lower Tier Nodes
(e.g. grid)
End Points Devices
Legacy Gateway
OFMB + DApps +
TNP/ CAPMS
Legacy Gateway
OFMB + DApps +
TNP/ CAPMS
Field Area Network
(FAN)
Wide Area Network (WAN)
Local Area Network
(LAN)
Electric Vehicle
Local Area Network
(LAN)
Local Area Network
(LAN)
Application Processor
Core Processor Legend
Physical Transport
Virtual Telemetry
Highest DIP Node
Distributed Architecture: Telecom Networking Vision Multi-Tier Communications Architecture Can Retrofit to Existing Systems and Enables Distributed Apps
Firewall
Virtual Firewall
MDM
TNP/ CAPMS
2/23/2015 page 11
School
Logo Here
School
Logo Here
Open Field Message Bus
Reporting! • Operator is informed of suspicious behaviour
and the CAPMS response
• Protected operating mode maintains
availability, minimizing service disruption
Prevention! • Systems interacting with the
compromised devices are protected
• Contains the attack
Central Security GUI (CSG) • Real-time cyber-security monitoring
• Security management and control
Data Capture
and Analysis
Physical Security
Network Anomaly
Detection
Trusted Platforms • Devices are authenticated
before joining the secure fabric
Quality of Trust (QoT) • Quantifies trustworthiness of devices
• Distributed (P2P) assessment
• Reputation-based decisions
• Enables automated responses
Trusted Monitoring Security Operations Center
(SOC)
Trusted Platforms • Maintains trust level throughout
the life-time of the device
Trusted Network Platform Cyber-intrusion Auto-response and Policy Management System
Cyber Sensors • Provides additional information
for real-time health and
monitoring of the Utility network
Detection! • Sensors detect unauthorized
access and unusual activity
• Sensors trigger system alerts Open Field Message Bus
Response! • Every Platform in the Trusted Network responds
to the Security Event based on Policy
13
CAPMS
Demonstration
Nick Saunders – CAPMS SW Lead (Operator)
Tim Collins – CAPMS SW Architect (Intruder)
14
Substation
page 14
Cut lock here
Climb Pole
Insert key
15
Siemens
7SJ85
Substation
Operations
192.168.2.x/24
ViaSat TNP
Intruder
192.168.2.9 192.168.2.12
SEL 351S
192.168.2.11
192.168.2.10
ABBREF615
Schneider MiCOM P642
DELL Power Edge 1950ABB MicroScada
10.10.1.210.10.1.3/4/5
10.10.1.6
10.10.10.1
Legend
SCADA (DNP3)
TNP Control & Status
1.1.1.31.1.1.2
SEL 3354GatewaySuricata DPI
CAPMS Policyd
CAPMS
For displayingCSG on big screens
Verizon
Palo Alto PA
MicroSCADA control
CAPMS
192.168.2.8
The “Node”
CAPMS Demonstration Network
16
DNP3 Threat Attack Demonstration
• Staged DNP3 on a simulated Utility Substation
– Intruder cuts lock, enters substation
– Attaches an attack computer (Rasberry Pi)
– Monitors DNP3 traffic to determine attack targets
– Attempts to send trip/close relay messages
• Demonstrates
– How Deep Packet Inspection can detect DNP3 attacks
– Detection mechanisms must use deep knowledge of protocol
– Layered security is needed with operational control
– Distributed Policy based system provides options for Network Utility Operators … policies can be changed/modified to adapt to changes in the network
17
What might an attack look like?
• Intruders in the Control House Run intruder light show
1. Experiment with just one relay
2. Start working all the relays at once
3. Try and coordinate all tripped, all closed
• What the Operator Sees:
– Stale comms in MicroSCADA
– Power goes out
• Potential Risks
– No concern for personnel working on live wires
18
How It Is Done ?
• Intruder computer (Raspberry Pi) on outstation network
– Installs a hub?
– Network tap?
– Reconfigures the switch?
– Attaches a “DO NOT TOUCH” sign on it.
– Steals copper to conceal true motive
• “tshark” is a command line version of wireshark
• "arpspoof" for IP hijack
• "senddnp3" sends properly formed DNP3 “control relay operating block” messages
19
tshark
• Command line version of Wireshark
Master: xx.xx.xx.108, DNP3 master ID 1
Outstation: xx.xx.xx.112, DNP3 outstation ID 10
Can also get:
dnp3.al.index (control point/index)
dnp3.al.fun (function code)
20
arpspoof
• ARP poison attack:
TCP-IP from master to outstation broken
• Intruder can assume master IP and connect to outstation
arpspoof –t <master IP> <intruderIP>
arpspoof –t <outstation IP> <intruderIP>
ifconfig eth0:0 192.168.2.8
21
sendddnp3
• Based on OpenDNP3 “masterdemo” sample program
• Can send any individual DNP3 CROB
– Source IP, master DNP3 address ID,
– Destination IP, outstation DNP3 address ID
– Direct or select-operate mode
– Commands: latch_on, latch_off, pulse, pulse_trip, pulse_close
• Scan mode (pseudo-code):
For mode in direct-operate, select-then-operate
For control code in
{ ControlCode::LATCH_OFF, ControlCode::LATCH_ON,
ControlCode::PULSE, ControlCode::PULSE_CLOSE,
ControlCode::PULSE_TRIP }
Send the command
22
Defense Solution
Suricata (for sensor events)
– Open source intrusion detection system (IDS)
– Added DNP3 inspection
– Sends JSON-formatted "out of band" messages
CAPMS Policy Service
– Built on ViaSat’s Trusted Network Platform
– Runs in substations and in operations
– Monitors DNP3, syslog, DDS, other protocols…
– Tracks both errors and out of profile events
– Behavioral model of a cyber attack
Actions
– Security management console
– Integration with ABB MicroSCADA display
– Future work: automated responses
23
Demo: Reconnaissance
• Demonstrate how intruder uses reconnaissance
– Send bad index. Send bad Control code.
• What can’t be detected?
– Source or destination IP (outside of DNP3)
– Bad master/outstation IDs (device terminates connection)
– Relay commands if none are actually sent
• Response!
– Warning on MicroSCADA
– Alerts in TNP/CAPMS
Src
IP
Dst
IP
Port
20000
Master
100
Outstation
1,2,3,4
Index Control code:
pulse/trip
Pulse values:
Count, on, off
24
Policy Validation
• Lots of control/status messages are possible
• Not all messages are normal
• Security policy can be customized to validate “normal” behavior
• Uses:
– Detect reconnaissance
– Protocol fuzzing
– Automated reactions to problematic conditions
25
Demo: Valid Commands
• Intruder gets the control points and command codes
– Tricks operator into sending CROB commands?
– Has hands-on access to devices?
– Ex-employee knows the standard defaults?
• Demonstrate how intruder attacks network
– Trip all the breakers
• Monitoring shows no out-of-profile commands!
• CAPMS adds
– “State model” of what is an OK state
– Correlates seemingly unrelated events
– Can track recon that might take place over months
• Operations view:
– MicroSCADA alarm
– CAPMS/TNP alert
26
Structured Defense Logic
• Based on NESCOR Attack Trees
• The stages of potential attacks are modeled using digital logic gates
• Remedial actions can be bound to stages of an attack
• In this simple attack tree, actions are associated to issue alerts and activate MicroSCADA alarm LED
27
Demo Summary
• Probing of substation with nonsense DNP3 commands
• Catching legal but out of profile commands
• Interpreting an attack in stages:
– A few bad commands
– PLUS legal but out of the ordinary commands means
– ESCALATE from warning to serious
• Example of how a distributed intelligent node fits into the larger network
28
CAPMS Summary
• More complex attacks require more complex responses
• Coordinated efforts are needed to monitor and respond to attacks
• Policy Management and Event correlation adds breath and depth to detecting/ responding to attacks
• Large distributed networks are vulnerable to both Cyber and Physical attacks
• Interoperability is a must
– Standards will facilitate open dialog between vendors and provide better responses to potential Cyber Attacks
• Strong Security is key
– Robust Security that supports normal operation is required
– Defense-in-Depth
29
Q&A
OpenFMB Standardization and Test Beds
• Standards Development Efforts – Smart Grid Interoperability Panel (SGIP) – North America Energy Standards Board (NAESB)
• Community Portal & Repository – Published Duke Energy Reference Architecture Spec – Transfer Opengridstandards.org to a non-profit – Utility Communications Architecture Int’l Users Group (UCAIug)
• Utility Partnerships/Research Alliances – National Renewable Energy Lab (NREL) DOE INTEGRATE project – Electric Power Research Institute (EPRI) Integrated Grid program – CPS Energy: “Grid-of the-Future” Deployment in San Antonio
• Duke Energy Coalition of the Willing (COW) Phase II Demo – Islandable Microgrid with PVs & Battery Storage – CIM, DDS, MQTT, & others – DistribuTECH 2016 in Orlando, FL – 25 Vendor partners
page 30