Upload
melissa-banks
View
222
Download
1
Tags:
Embed Size (px)
Citation preview
Dynamic Realtime Security Analysis of Electrical Power Systems
Gathering Cyber-Physical Threat Intelligence
Mike BurmesterWork with W. Owen Redwood and Joshua Lawrence
Outline1. Critical Infrastructures protection
a. Critical infrastructure ecologies, resilience, real vs ideal world simulationsb. Protection and control architecture for EG substationsc. Vulns of an IEC61850 enabled EG substations, synchronized attacks
2. Honeypotsa. real-time situational awareness tools
b. Cyber-Physical Systems i. SCADA / Critical Infrastructureii. Vulns & Security & state of Threat Intelligence
3. Symbolic Cyber-Physical Honeynetsa. Situational Awareness for SCADA / ICS
Resilience: real vs ideal world simulations
Human
(ideal world adversary) controls all communication channels
F (protected functionality)
CyberPhysical
PhysicalHuman Cyber
PhysicalHuman Cyber
A (real world adversary)controls all communication channels
Protection and control architecture for an EG substation
IEDs I/O via fiber
Bricks
Bricks
IEDs I/O via fiber
Ethernet connectivity to SCADA & HMI
5
Vulnerabilities of an IEC61850 enabled EG substation Ethernet -- Substation Bus
Ethernet -- Process Bus
Relay Meter
Merge Unit Merge Unit
HMI
Control Center
Internet
Remote Operator
Other Substations
Vulnerabilities are indicated by “ “ and involve physical/human/cyber entities. For example: the Remote Operator or their computer may be compromised, the behavior of the Relay or the Merge Unit Brick may be irregular (because of unexpected inputs), etc. Our goal is to:
Analyze realtime multi-layer vulnerabilities of EG infrastructures resulting from malicious/unexpected behavior.Analyze cascading EG infrastructure faults.Identify vulnerabilities & exploits of IEC61850 substation automation systems using hardware-in-the-loop realtime testing.Develop a framework that addresses holistic integrity in realtime by enforcing trust policies and controls and by enabling security mechanisms and tools (engines).
IED
Synchronized attack scenariotop: the generator frequency during a cascading event bottom: the state of the system before & after an attack
EG Resilience
Maintaining Functionality at Sustained Levels
output power
Backup power
sustained functionality leveltime
Capture:
● Tool use● detection tests (and sometimes fail!)● initial intrusion● outbound connection initiated● ...● expand access and obtain credentials● strengthening of foothold● data exfil● attempts to cover tracks
Honeypots
diagram from http://en.wikipedia.org/wiki/Advanced_persistent_threat
HoneypotsHoneynet - More than one honeypotLow interaction● simulates a controlled subset of the target’s attack surface
o emulates common services, applications, OSeso low risk
High interaction ● utilizes real services, apps, OSs (near-real attack surface)
o commonly have a HMI or GUIo high risko capture far more data
● Good, currently-maintained tools for these are RARE
3 Categories of Threat Intelligence
● Exploitation techniques & strategies● Post-exploitation techniques & strategies, and● end goals (very hard to observe)
Cyber-Physical Systems
computational systems that monitor and control physical entities
● control systems● sensor-based systems● autonomous systems● robotic systems● etc...
Cyber-Physical Systems
Typically a network of:● Remote Telemetry Units (RTUs)● Programmable Logic Controllers (PLCs)● Intelligent Electronic Devices (IEDs)
(may be a MAC-layer “station bus” network)==>Controlled by:● Supervisory Control And Data Acquisition (SCADA) system(s)● Industrial Control System (ICS) system(s)● Process Control System (PCS) system(s)● Distributed Control System (DCS) system(s)
Cyber-Physical Systems (reality)Are embedded systems,● Linux● VXworks● Solaris ● custom firmware, custom OS...
with some specialized additions:● sensors, actuators, regulators, communication devices, and “control”
processing units
Cyber-Physical Systems Standards, Protocols, Implementations
Standards designed by engineers FOR engineers Access to standards/documentation > $10,000
o restricted access, yet expect everyone to adopt it
Descriptions of protocols are open, but closed-source code is common● Implementations thus differ per vendor
o Makes things hell for the control systems vendors
Tracking CPS systems on the Internet
Specialized Search engines:
● SHODAN - Sentient Hyper-Optimized Data Access Networko http://www.shodanhq.com/
● ERIPP - Every Routable IP Projecto http://eripp.com/
● IRAM - Industrial Risk Assessment Mapo http://www.scadacs.org/iram.html
Project SHINE (early 2014):
● uses SHODAN to detect how many ICS systems are connected to internet EACH DAY:
● 2000-8000 NEW ICS on internet PER DAY
The Industrial Risk Assessment Maphttps://www.scadacs.org/iram.html
CPS Vulnerabilities
● “forever-day” originated.● n-days typically never get patched. <==This trivializes the cost of target research.
● Accessible to all levels of threat
Target Infrastructure Research
● Amplifies the impact / opportunities of all other stages of the attack cycleo Stuxnet-level attacks aren’t possible without
research
● Thus the “low-hanging fruit” of attackers can cause significant damage
Cyber-Physical Systems Security
● vendor backdoors are common● 1990’s network interface cards, easy to DoS● very hard to patch / update
Hacking: it’s like its 1980’s, once you get inside the network
Cyber-Physical Systems SecuritySecurity designed by Engineers != SecurityNo modern security like:
● Executable Exploit Mitigations:o ASLRo DEP / N^X / W^Xo Control Flow Lockingo GS / Stack cookies (compiler dependent) o safe heap allocators (compiler dependent)o kernel / file integrity watchdogs
CPS Commodity-ThreatsGLEG Ltd (Russian Company) sells:● Agora: since 2006, contains 160+ CPS exploitation
modules● SCADA+: project containing “ALL publicly available
SCADA vuln”s in one exploit pack
Core Impact sells:● ExCraft SCADA Pack: 50+ CPS exploitation modules
CPS Commodity-Threats (free)
SamuraiSTFU (Security Testing Framework for Utilities) provides:● collection of web, network, and hardware exploitation tools targeted
for utility security teams/security firms.
Metasploit provides:● several exploitation modules as well● in the nice popular metasploit framework
SCADA Vulnerability and Exploit-PoC Repository:http://scadahacker.com/vulndb/ics-vuln-ref-list.html
Cyber-Physical Systems Threats
ICS CERT: Surge In Brute-Force Attacks Against Energy Industry (06/2013) http://www.darkreading.com/attacks-breaches/ics-cert-surge-in-brute-force-attacks-ag/240157599
Addressing Cyber Threats to Oil and Gas Suppliers (June 2013) http://www.cfr.org/cybersecurity/addressing-cyber-threats-oil-gas-suppliers/p30977
● increasing threats, ranging from cyber espionage by foreign intelligence, to attempts to disrupt operations
Congressional Report: “Electric Grid Vulnerability: Industry Responses Reveal Security Gaps” (May) http://www.scor.com/en/sgrc/pac/cyber-risks/item/2573.html?lout=sgrc
● Bleak outlook. Cyber threats against CPS are far likelier and riskier than high-altitude EMP detonations
Cyber-Physical Systems Threats
From 2014-2015:● BlackEnergy APT campaign● SandWorm APT campaign
o also used blackenergy malware
● Dragonfly APT campaigno aka Energetic Bear / Crouching Yeti
targets IEC 60870
● …. Each of these has been going on for years and were only discovered in 2014
CPS HoneypotsCISCO CIAG’s SCADA HONEYPOT (2004)
DIGITAL BOND’s SCADA Honeynet Project (2010)
CONPOT - The Honeynet Project’s ICS Honeypot
TREND MICRO’s closed-source honeypot project
ROS Honeypot
Plus...
● We’re good OK at tracking the attacks against cyber…● What about how cyber attacks against one end of a
CPS can affect directly/indirectly other parts of the physical system.- upstream- downstream
RobotOS (ROS) Honeypot
The ROS honeypot is the 1st true cyber-physical honeypot
● DEFCON 20 experiment● providing a high-interaction vulnerable HMI that
interfaces● with actual robotic hardware running ROS.o Thus, is able to capture cyber attacks against the
underlying physical system
RobotOS (ROS) Honeypot
But this solution would not scale for large CPS…
● Too expensive● Too complicated● High maintenance
Symbolic Cyber-Physical Honeynet (SCyPH) Framework
Novel features:
● symbolic simulation/analysis of physical part● emulation of everything else (SCADA / ICS protocols)
- Provides realistic stimuli to HMI = believable target- Allows capture of post-exploitation behavior- Organize and highlight attack data in a “cyber-physical-
anomaly-centric manner”
Symbolic Cyber-Physical Honeynet (SCyPH) Framework
Why “Symbolic”???● The anomaly detection engine analyzes each parameter
as a set of symbols.o doesn’t care about the data types
voltage, current, temperature, load, status, ...
SCyPH Server Model
HONEYNETFRAMEWORK
The Interaction LayerThe Honeynet Layer Infrastructure Modeling Layer
vmnet0(virtual bridge to eth0)
eth0 Internet Exposed Interface
vmnet1host-only mode
SCADA HMI
vmnet2Isolated
host-only
Simulated cyber-physical systems
The Logging Layer
Honeynet and SCADA HMI Logging
Anomaly Detection
Exposed Honeynet
Symbolic Cyber-Physical Honeynet (SCyPH) Framework
Design Principles:● All components are modular● HMI interaction is coupled with the simulated physical
modelo multiple HMI’s all reflect one overall physical model
● Layers are strictly partitioned
Symbolic Cyber-Physical Honeynet (SCyPH) Framework
Designed to:● facilitate greater interactivity than existing cyber-
physical honeypots, o to entice more sophisticated threat actors
● be easier to expand upon● present data in a higher order representation.
o physics anomalies presented with corresponding network traffic
Infrastructure Modeling Layer
Symbolic data flow model which simulates the physical parts of a cyber-physical system,
● Provides realistic stimuli to HMI = believable target● Based on Kahn Process Network (KPN)
o Many engineering models based on KPN model
IML’s data flow model defines a process by a set of signals, actors, and firing rules.
Any questions?
Referenceshttp://www.cs.fsu.edu/~burmeste/pubs.html