Dynamic Realtime Security Analysis of Electrical Power Systems

Gathering Cyber-Physical Threat Intelligence

Mike BurmesterWork with W. Owen Redwood and Joshua Lawrence

Outline1. Critical Infrastructures protection

a. Critical infrastructure ecologies, resilience, real vs ideal world simulationsb. Protection and control architecture for EG substationsc. Vulns of an IEC61850 enabled EG substations, synchronized attacks

2. Honeypotsa. real-time situational awareness tools

b. Cyber-Physical Systems i. SCADA / Critical Infrastructureii. Vulns & Security & state of Threat Intelligence

3. Symbolic Cyber-Physical Honeynetsa. Situational Awareness for SCADA / ICS

Critical Infrastructure Ecologies

Resilience: real vs ideal world simulations

Human

(ideal world adversary) controls all communication channels

F (protected functionality)

CyberPhysical

PhysicalHuman Cyber

PhysicalHuman Cyber

A (real world adversary)controls all communication channels

Protection and control architecture for an EG substation

IEDs I/O via fiber

Bricks

Bricks

IEDs I/O via fiber

Ethernet connectivity to SCADA & HMI

5

Vulnerabilities of an IEC61850 enabled EG substation Ethernet -- Substation Bus

Ethernet -- Process Bus

Relay Meter

Merge Unit Merge Unit

HMI

Control Center

Internet

Remote Operator

Other Substations

Vulnerabilities are indicated by “ “ and involve physical/human/cyber entities. For example: the Remote Operator or their computer may be compromised, the behavior of the Relay or the Merge Unit Brick may be irregular (because of unexpected inputs), etc. Our goal is to:

Analyze realtime multi-layer vulnerabilities of EG infrastructures resulting from malicious/unexpected behavior.Analyze cascading EG infrastructure faults.Identify vulnerabilities & exploits of IEC61850 substation automation systems using hardware-in-the-loop realtime testing.Develop a framework that addresses holistic integrity in realtime by enforcing trust policies and controls and by enabling security mechanisms and tools (engines).

IED

Synchronized attack scenariotop: the generator frequency during a cascading event bottom: the state of the system before & after an attack

EG Resilience

Maintaining Functionality at Sustained Levels

output power

Backup power

sustained functionality leveltime

Capture:

● Tool use● detection tests (and sometimes fail!)● initial intrusion● outbound connection initiated● ...● expand access and obtain credentials● strengthening of foothold● data exfil● attempts to cover tracks

Honeypots

diagram from http://en.wikipedia.org/wiki/Advanced_persistent_threat

HoneypotsHoneynet - More than one honeypotLow interaction● simulates a controlled subset of the target’s attack surface

o emulates common services, applications, OSeso low risk

High interaction ● utilizes real services, apps, OSs (near-real attack surface)

o commonly have a HMI or GUIo high risko capture far more data

● Good, currently-maintained tools for these are RARE

3 Categories of Threat Intelligence

● Exploitation techniques & strategies● Post-exploitation techniques & strategies, and● end goals (very hard to observe)

Cyber-Physical Systems

computational systems that monitor and control physical entities

● control systems● sensor-based systems● autonomous systems● robotic systems● etc...

Cyber-Physical Systems

Typically a network of:● Remote Telemetry Units (RTUs)● Programmable Logic Controllers (PLCs)● Intelligent Electronic Devices (IEDs)

(may be a MAC-layer “station bus” network)==>Controlled by:● Supervisory Control And Data Acquisition (SCADA) system(s)● Industrial Control System (ICS) system(s)● Process Control System (PCS) system(s)● Distributed Control System (DCS) system(s)

Cyber-Physical Systems (reality)Are embedded systems,● Linux● VXworks● Solaris ● custom firmware, custom OS...

with some specialized additions:● sensors, actuators, regulators, communication devices, and “control”

processing units

Cyber-Physical Systems Standards, Protocols, Implementations

Standards designed by engineers FOR engineers Access to standards/documentation > $10,000

o restricted access, yet expect everyone to adopt it

Descriptions of protocols are open, but closed-source code is common● Implementations thus differ per vendor

o Makes things hell for the control systems vendors

Tracking CPS systems on the Internet

Specialized Search engines:

● SHODAN - Sentient Hyper-Optimized Data Access Networko http://www.shodanhq.com/

● ERIPP - Every Routable IP Projecto http://eripp.com/

● IRAM - Industrial Risk Assessment Mapo http://www.scadacs.org/iram.html

Project SHINE (early 2014):

● uses SHODAN to detect how many ICS systems are connected to internet EACH DAY:

● 2000-8000 NEW ICS on internet PER DAY

The Industrial Risk Assessment Maphttps://www.scadacs.org/iram.html

CPS Vulnerabilities

● “forever-day” originated.● n-days typically never get patched. <==This trivializes the cost of target research.

● Accessible to all levels of threat

Target Infrastructure Research

● Amplifies the impact / opportunities of all other stages of the attack cycleo Stuxnet-level attacks aren’t possible without

research

● Thus the “low-hanging fruit” of attackers can cause significant damage

Cyber-Physical Systems Security

● vendor backdoors are common● 1990’s network interface cards, easy to DoS● very hard to patch / update

Hacking: it’s like its 1980’s, once you get inside the network

Cyber-Physical Systems SecuritySecurity designed by Engineers != SecurityNo modern security like:

● Executable Exploit Mitigations:o ASLRo DEP / N^X / W^Xo Control Flow Lockingo GS / Stack cookies (compiler dependent) o safe heap allocators (compiler dependent)o kernel / file integrity watchdogs

CPS Commodity-ThreatsGLEG Ltd (Russian Company) sells:● Agora: since 2006, contains 160+ CPS exploitation

modules● SCADA+: project containing “ALL publicly available

SCADA vuln”s in one exploit pack

Core Impact sells:● ExCraft SCADA Pack: 50+ CPS exploitation modules

CPS Commodity-Threats (free)

SamuraiSTFU (Security Testing Framework for Utilities) provides:● collection of web, network, and hardware exploitation tools targeted

for utility security teams/security firms.

Metasploit provides:● several exploitation modules as well● in the nice popular metasploit framework

SCADA Vulnerability and Exploit-PoC Repository:http://scadahacker.com/vulndb/ics-vuln-ref-list.html

So what?how often do these things even get attacked anyways???

Cyber-Physical Systems Threats

ICS CERT: Surge In Brute-Force Attacks Against Energy Industry (06/2013) http://www.darkreading.com/attacks-breaches/ics-cert-surge-in-brute-force-attacks-ag/240157599

Addressing Cyber Threats to Oil and Gas Suppliers (June 2013) http://www.cfr.org/cybersecurity/addressing-cyber-threats-oil-gas-suppliers/p30977

● increasing threats, ranging from cyber espionage by foreign intelligence, to attempts to disrupt operations

Congressional Report: “Electric Grid Vulnerability: Industry Responses Reveal Security Gaps” (May) http://www.scor.com/en/sgrc/pac/cyber-risks/item/2573.html?lout=sgrc

● Bleak outlook. Cyber threats against CPS are far likelier and riskier than high-altitude EMP detonations

Cyber-Physical Systems Threats

From 2014-2015:● BlackEnergy APT campaign● SandWorm APT campaign

o also used blackenergy malware

● Dragonfly APT campaigno aka Energetic Bear / Crouching Yeti

targets IEC 60870

● …. Each of these has been going on for years and were only discovered in 2014

Getting Situational Awareness in ICS / SCADA

CPS HoneypotsCISCO CIAG’s SCADA HONEYPOT (2004)

DIGITAL BOND’s SCADA Honeynet Project (2010)

CONPOT - The Honeynet Project’s ICS Honeypot

TREND MICRO’s closed-source honeypot project

ROS Honeypot

Plus...

● We’re good OK at tracking the attacks against cyber…● What about how cyber attacks against one end of a

CPS can affect directly/indirectly other parts of the physical system.- upstream- downstream

RobotOS (ROS) Honeypot

The ROS honeypot is the 1st true cyber-physical honeypot

● DEFCON 20 experiment● providing a high-interaction vulnerable HMI that

interfaces● with actual robotic hardware running ROS.o Thus, is able to capture cyber attacks against the

underlying physical system

RobotOS (ROS) Honeypot

RobotOS (ROS) Honeypot

But this solution would not scale for large CPS…

● Too expensive● Too complicated● High maintenance

Symbolic Honeynets for Gathering Cyber-Physical

Threat Intelligence

Symbolic Cyber-Physical Honeynet (SCyPH) Framework

Novel features:

● symbolic simulation/analysis of physical part● emulation of everything else (SCADA / ICS protocols)

- Provides realistic stimuli to HMI = believable target- Allows capture of post-exploitation behavior- Organize and highlight attack data in a “cyber-physical-

anomaly-centric manner”

Symbolic Cyber-Physical Honeynet (SCyPH) Framework

Why “Symbolic”???● The anomaly detection engine analyzes each parameter

as a set of symbols.o doesn’t care about the data types

voltage, current, temperature, load, status, ...

SCyPH Server Model

HONEYNETFRAMEWORK

The Interaction LayerThe Honeynet Layer Infrastructure Modeling Layer

vmnet0(virtual bridge to eth0)

eth0 Internet Exposed Interface

vmnet1host-only mode

SCADA HMI

vmnet2Isolated

host-only

Simulated cyber-physical systems

The Logging Layer

Honeynet and SCADA HMI Logging

Anomaly Detection

Exposed Honeynet

Symbolic Cyber-Physical Honeynet (SCyPH) Framework

Design Principles:● All components are modular● HMI interaction is coupled with the simulated physical

modelo multiple HMI’s all reflect one overall physical model

● Layers are strictly partitioned

Symbolic Cyber-Physical Honeynet (SCyPH) Framework

Designed to:● facilitate greater interactivity than existing cyber-

physical honeypots, o to entice more sophisticated threat actors

● be easier to expand upon● present data in a higher order representation.

o physics anomalies presented with corresponding network traffic

Infrastructure Modeling Layer

Symbolic data flow model which simulates the physical parts of a cyber-physical system,

● Provides realistic stimuli to HMI = believable target● Based on Kahn Process Network (KPN)

o Many engineering models based on KPN model

IML’s data flow model defines a process by a set of signals, actors, and firing rules.

Any questions?

Referenceshttp://www.cs.fsu.edu/~burmeste/pubs.html