Typical attacks

5.4.1 Targeted and flood based cyber attacks

Targeted Cyber Attack Types: Malicious attackers can launch targeted attacks such as sniffing packets at an Internet service provider (ISP) or carrier and then maliciously modifying the packets in the network to achieve the expected results. They could proactively exploit software bugs and other vulnerabilities in various systems, either in the corporate network or the SCADA network, to gain unauthorized access to places such as control center networks, SCADA systems, interconnections, and access links. Openly available vendor documentation for proprietary CI (i.e. power systems) control software also makes them vulnerable to software exploits. They could configure unauthorized access points to send false information to confuse the SCADA systems in order to trigger unwanted countermeasures. They could target RTUs, intelligent electronic devices (IEDs), uplink connections, and other physical entities to disrupt services. They could exploit the deterministic nature of the inter-center control communications protocol (ICCP) messaging protocol to achieve the desired effects on the SCADA network and the CI ( i.e. electric grid). Flood-based Cyber Attack Types: Cyber-attacks that are based on denial of service (DoS) mechanisms, and others that spread due to viruses and worms by causing a traffic avalanche in short durations, can potentially bring down systems and cause a disruption of services. There is no well-known, fool-proof, defense against such cyber attacks in the computing literature. Various effective ad-hoc solutions have been adopted on traditional computer networks. If the access links that connect the SCADA network to the Internet are swamped by heavy traffic caused by such attacks, it could prove disastrous as the control and supervisory data (including alarms, IED data) flowing to the SCADA network could be lost in the network. The gateway or firewalls installed to monitor the incoming traffic could be overloaded by the large volumes of attack traffic. Thus the ability of the SCADA network to respond to actual failures can be significantly affected. Also, the traffic flood could contain malicious ICCP messages that could confuse the SCADA systems to a great extent. There are many other avenues through which an attacker can execute a cyber attack in a manner that allows the attack to go undetected. Well-known techniques in computing literature, e.g., source address spoofing, or domain name system (DNS) cache poisoning, could also be tried but the impact of these attacks is currently unknown and needs to be studied in greater detail.

5.4.2 Attacks on the Communication Stack

Some of the potentials attacks harming a SCADA system are performed through communication stack by using the TCP/IP or the Internet reference. In particular, those attacks involve different layers like the network, transport and application layer or the implementation of protocols.

In the following we report some attacks that involve the network layer:

1. Diagnostic Server Attacks through UDP port. Adversaries have access to the same debugging tools that any RTOS developers do. For example, the RTOS VxWorks debug service that runs UDP on port 17185 is enabled by default thus an attacker can execute the following attacks without any authentication.

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 51 on 153

2. Idle Scan: is to blind port scan by bouncing off a dumb “zombie” host, often a preparation for attack. Both MODBUS and DNP3 have scan functionalities prone to such attacks when they are encapsulated for running over TCP/IP.

3. Smurf: is a type of address spoofing that is implemented by sending a continuous stream of modified ICMP packets to the target network with the sending address that is identical to one of the target computer addresses. In the context of SCADA systems, if a PLC acts on the modified message, it may either crash or dangerously send out wrong commands to actuators.

4. ARP Spoofing/Poisoning: The ARP is primarily used to translate IP addresses to Ethernet MAC addresses and to discover other connected interfaced device on the LAN. The ARP spoofing attack is to modify the cached address pair information. By sending fake ARP messages which contain false MAC addresses in SCADA systems, an adversary can confuse network devices, such as network switches. When these frames are falsely sent to another node, packets can be sniffed; or intentionally to an host connected to different actuators, then physical disasters of different scales are initiated. Static MAC address is one of the counter measures. However, certain network switches do not allow static setting for a pair of MAC and IP address. Segmentation of the network may also be a method to alleviate the problem in that such attacks can only take place within same subnet.

5. Chain/Loop Attack: In a chain attack, there is a chain of connection through many nodes as the adversary moves across multiple nodes to hide his origin and identity. In case of a loop attack, the chain of connections is in a loop make it even harder to track down his origin in a wide SCADA system.

Regarding the attacks that involve the transport layer, SCADA protocols, particularly those running over top of transport protocols such as TCP/IP have vulnerabilities that could be exploited by attacker through methodologies as simple as injecting malformed packets to cause the receiving device to respond or communicate in inappropriate ways and result in the operator losing complete view or control of the control device.

A representative example is the SYN flood which is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. A mitigation strategy for SYN flood attacks on SCADA systems is described in [16] and it is based on client puzzles that force clients, including attackers, to use computational resources to calculate the solution to a cryptographic puzzle or hash function. Once the client returns a valid solution, the connection is completed and data exchange begins.

Moving on the application layer, it is important to remark that currently there is no strong security control in protocols used in SCADA systems. Practically there is no authentication on source and data such that for those who have access to a device through a SCADA protocol, they can often read and write as well. The write access and diagnostic functions of these protocols are particular vulnerable to cyber and cyber induced physical attacks. Next, we list potential attacks associated with more SCADA specific protocols:

1. DNS forgery: sends a fake DNS reply with a matching source IP, destination port, request ID, but with an attacker manipulated information inside, so that this fake reply may be processed by the client before the real reply is received from the real DNS server.

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 52 on 153

2. MODBUS: is a de facto standard of application layer protocol used in industrial networks. The lack of encryption or any other security measures of MODBUS exposes this protocol to different vulnerabilities which have been analyzed in [17]. One of them - force Single and Multiple Coils - is to manipulate a MODBUS frame by changing the function code in order to switch off remote devices and suppress output thus to create a false sense of situation at the HMI side. That implies that attacks can include DoS (e.g., rebooting Modbus servers) reconnaissance (e.g., unauthorized reading of data, and gathering device information), and unauthorized write requests. 3. DNP3: is a set of communications protocols used between components in process

automation systems specifically designed for use in SCADA applications [18]. Due to its lack of security, it suffers from the same weaknesses of MODBUS.

In the following, some attacks on implementation of protocols are presented:

1. TCP/IP: protocols implementation in Windows based machines exhibit some vulnerabilities that be exploited in machines that do not have up-to-dated patches. An example is the DoS attack named WinNuke which sends a string of OOB (out of band) data to the target computer via a TCP segment causing it to crash. That may not damage or change the data on the computer hard disk, but any unsaved data would be lost and the machine should be restarted.

2. OPC: is a series of standard specifications for use in process control and manufacturing automation applications to facilitate interoperability between software applications and process hardware. These protocol presents different vulnerabilities (). An example is the opportunistic DoS attack [19] that installs a malware on a machine of the company network which begins to search for OPC targets. When it detects any OPC servers on the control system, it can attacks any vulnerable applications using the OPC vulnerabilities. Once this scenario occurs, the OPC server will be unavailable and may require anything from a simple reboot to complete software re-installation and configuration to recover.

3. ICCP: is a protocol used by utility organizations throughout the world to provide data exchange over WANs among utility control centers, utilities, power pools, regional control centers. LiveData ICCP Server [20] implementation of the ISO Transport Service over TCP exhibits a heap-based buffer overflow that allows an attacker to trigger the overflow to execute arbitrary code or crash a LiveData ICCP Server to cause a DoS attack.