A SCADA network attack model

Considering operations against target networks characterized in terms of attack steps, where each step accomplishes one or more of the following [ 33]:

1. improved knowledge of the target network through reconnaissance,

2. access to one or more hosts on the network through exploitation of a software vulnerability or the deception of a legitimate user,

3. increased privilege on one or more hosts on the network through exploitation of a software vulnerability or the deception of a legitimate user,

4. the establishment of sustainable access to one or more hosts on the network by, for example installing a back door, or

5. viewing, stealing, manipulating, or preventing legitimate access to protected information

a PN model for a network attack scenario is displayed in Figure 7.4. In the model, each attack step is represented by a transition, arrows that point in from places represent preconditions, and arrows that point out to places represent post conditions. The places in the PN of Figure 7.5 represent host attributes in the network being modelled. The attributes and associated places in Figure 7.5 include privilege levels (useri, rooti), services (ftpdi), trust relationships (trusti), and connectivity (linki).

Figure

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 90 on 153

Ph is the set of places corresponding to host h. In order to represent the fact that h is characterized by a particular attribute, the corresponding place is marked by a token. Thus Ph represents the attributes that host h can have; the places in Ph that are marked represent the attributes that h actually does have. For example, the place ftpd1 ∈ Ph1 is marked by a token, indicating that host1 is running an ftp server, while the place ftpd0 ∈ Ph0 is not marked, indicating that host0 is not running an ftp server.

For the purposes of attack analysis, transitions represent exploits of vulnerabilities such as buffer overflow (local bofi), ftp (ftp rhosti,j ), and rsh (rshi,j ). An exploit is intended as any action an attacker takes, including what ordinarily would count as legitimate use of resources, such as the use of rsh. For every exploit e there is a set of preconditions, represented by a set of places pre(e); and a set of post conditions, represented by set of places post(e). In the example, a precondition for performing a local buffer overflow exploit is that the attacker has user access on the target host, and a post condition is that the attacker has root access on the target host. Therefore, for each host hi, useri ∈ pre(local bofi), and rooti ∈ post(local bofi). The actual occurrence of an exploit is represented by the firing of the corresponding transition. An algorithm has been used to auto-generate the attack Petri net, that executes in three phases: an initialization phase and two processing phases. The initial marking m0 of the net indicates the conditions that have been met before any transitions in T have fired.

SCADA network on which the attack Petri Net model has been built is comprised of a data historian, a human-machine interface (HMI), an engineering workstation, a master terminal unit (MTU), three remote terminal units (RTU), and two programmable logic controllers (PLC), as shown in Figure 7.6. The MTU communicates with the RTUs and IEDs via a radio serial link (RSL), the maintenance server is accessible via dial-up modem from the public switched telephone network (PSTN), and all other communication is conducted over TCP/IP on Ethernet. In one modelled configuration, a firewall (FW) is used to control traffic between the SCADA network, corporate network (LAN), and the maintenance network. In alternate configurations the historian and workstations are also isolated by the firewall. That is, they reside in separate so-called “demilitarized zones” (DMZs).

Figure 7-6 Sample SCADA network [33]

Figure 7.7 illustrates the PN model of remote manual operation of a valve.

To open the valve, an operator must issue an open command at the HMI, and the valve’s state at the HMI must closed. If these preconditions are met, the HMI relays the command to the MTU via the Ethernet connection, the MTU communicates the command to the

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 91 on 153

appropriate RTU via the RSL, the RTU driver delivers power to actuate the valve, and the open state is then registered at the RTU and relayed back to the HMI through the MTU. Of the large number of possible process failures, [33] discusses six in detail by describing the corresponding component failure, the state of the process at the time of failure, and the resulting impact.

Each process failure is related to a set of SCADA attacks, where each SCADA attack has the same result as the induced process failure, but is caused by an attack on the SCADA computing infrastructure. Moreover, for each process failure, the authors assign a measure of its severity in terms of expected number of personnel injuries due to inhalation or skin irritation, by ammonia. They relate this process failure and associated consequence to a set of attacks on the SCADA system as shown in Figure 7.8.

Figure 7-7 Remote Manual Operation [33]

In failure mode (FM) 1.1 the attacker gains user privileges on the HMI and issues a command to open the valve v11 before the execution of Task 4, and ammonia will discharge into the dilution drum.

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 92 on 153

Figure 7-8 Attack-induced Process Failures [33]

A similar, but possibly more devastating attack can occur in FM 1.2 when and attacker gains root privileges on the HMI, opens valve v11 before Task4, and spoofs a closed state for v11. This attack gives the legitimate HMI operator the impression that the process state is correct for the task at hand and can increase the amount of ammonia discharged. As a result, the expectation of injuries doubles. A third attack (FM 1.3) targets the MTU. This attack has the same effects as the HMI super-user attack.

Using coverability analysis, they can determine all of the resources an attacker can acquire in the SCADA network. The SCADA attack set will map those sets of resources to SCADA failure modes that can be induced by the attacker, and the system model will analyze the impact of that failure mode.