• No results found

PREEMPTIVE. Preventive methodology and tools to protect utilities Main goal

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "PREEMPTIVE. Preventive methodology and tools to protect utilities Main goal"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

PREEMPTIVE

Preventive methodology

and tools to protect

utilities

http://preemptive.eu/

Ignasi Cairó 15 October 2015

Brussels

The main goal of PREEMPTIVE is to provide an innovative

solution for enhancing existing procedures and methods and

conceiving tools to prevent against cyber attacks, that target

utility companies relying heavily on industrial networks and

automated control systems. PREEMPTIVE addresses, in particular, the prevention of cyber attacks against hardware

and software systems such as DCS, SCADA, PLC, networked

electronic sensing, and monitoring and diagnostic systems used by the utilities networks.

(2)

3

The strong innovation proposed in PREEMPTIVE is to face the cyber attacks adopting a dual approach techniques that take into account industrial process behaviour (IPB) and communication & software related threats (CATh). “(Industrial) process misbehaviours take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the industrial process”.

1. Toenhance existing methodological security and prevention frameworks with the aim of harmonizing Risk and Vulnerability Assessment methods, standard policies, procedures and applicable regulations or recommendations to prevent cyber attacks. ThePREEMPTIVE methodology proposed will take into account the envisaged innovative technological solutions for preventing and for detecting zero day attacks. 2. To define guidelines for improving Critical Infrastructures (CIs) surveillance.

3. To design and developprevention and detection tools complaint to the dual approach that takes into account both the industrial process misbehavior analysis (physic domain) and the communication and software anomalies (cyber domain): 4. Industrial process misbehavior detection.

5. Communication & software related threats prevention and detection.

Innovative Breakthoughs

Industrial

networks

(3)

5 Control

center

Model & Simulation

Common in Electricity Water & Gas

Electrical Power Gird

Industrial networks vulnerabilities

Industrial networks are subject to several types of vulnerabilities.

The most common includes:

• Misconfiguration of software and devices • Weak Passwords used

• Devices communications not encrypted/authenticated • System not patched frequently

• 0- days vulnerabilities

• Subnetwork not properly isolated/segmented and monitored • Commons Operating System used, inheriting their weaknesses • Ad-hoc created malware

We will use these vulnerabilities to simulate cyber attacks against an industrial network.

(4)

In this way we can discover:

what hosts are active on the network,

what services (application name and version)

those hosts are offering,

what operating systems (and OS versions) they are running,

what type of packet filters / firewalls are in use. Other tools relating PLCs, detect MODBUS / TCP ports, etc.

Tools/Techniques

• Performing penetration test

Kali

Linux

• Network scanning • Large networks/single spots

Nmap

8

Tools/Techniques

Other tools that we can use to acquire information are

Wireshark ( network sniffer) andNessus / OpenVas

(Vulnerability Scanner). All the information acquired will be used to attack the network with the following tools:

Hydrais a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible and allow to easily gain unauthorized access to a system remotely usingbrute force or dictionary attack. SQLmapis one of the most effective penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

Metasploit Frameworkis a powerful tool that helps to simplify the exploitation of a remote target machine.

(5)

1. Simulate a man-in-the-middle attack where we can

inject commands to an IED

2. Modify the values of certain values transmitted

from/to an RTU to manipulate such values (the

variables we should manipulate have to be derived

from the process we are simulating)

3. Use a fuzzer to send malformed packet to fields device

and see how they react (e.g. if they fail)

4. Use a malware that can be stored on an USB stick and

it can infect a SCADA server to send strange

commands to field device (e.g. opening a switch)

Tools/Techniques

(6)

Attacks against internal database

(7)

Attacks against PLC/IEDs

Attack

(8)

15

Attacking the network from the outside

using spear phishing / SQL-injection / brute

force / other techniques to penetrate.

– Then we can use just a simple backdoor to maintain the access to the infected machines [@elisa] .

Attacking the network from the inside

infected usb-stick[@elisa]

Attacking the network obtaining physical

access to the RTU

– e.g. attack scenario (proposed by IREC) inside slide 6

Attacks Strategies

16 16 CB WT PV Load SG Voltage inside operating limits

Secondary Controller (AGC)

Attacking the network obtaining physical access to the RTU

Transformer Voltage inside

(9)

17

• Frequency stabilizes to higher setpoint but inside the tripping limits of breakers • System works insufficiently – more energy lost

balance is restored Frequency (Normal Case)

Frequency (Attack)

Frequency stabilizes to higher setpoint but inside the tripping limits of breakers

Mech&El. Power, Torque (Normal Case)

Mech&El. Power, Torque (Attack) 0.0712 0.0707 Turbine power Electrical power M atl ab DigSilent

To LOG parserLOG

+ Modbus

TCP/IP

server Microgrid (data)concentrator

Local Controller 1 3 4 Modbus traffic Modbus traffic 7 8 SM IREC VITRO EMS (SCADA) (with forecasts on txt) 6 5 XML traffic DSO Forecasts Gateway PC IREC IREC IREC IREC Injection Maliciuos attack

Interfacing Simulation- Meas.

Without DER 1month With DER 1 day

Raw data (*.txt) Bus (V, P, Q, f, Ph) Metering Pr og ra m m in g a tt ac k Injection Maliciuos attack Maliciuos attack

(10)

19

Detection

methodologies

20

“The first step for the implementation of a anomaly detection system based on negative selection (an Artificial Immune System) is the characterization of the normality.”

Anomaly detection

Special common features of Critical Infrastructures (CI):

Time series

Periodicity (day, week, year pattern)

Few consumption patterns

Topology changes (discrete changes)

Normality in this case is strongly dependent on WHO and WHEN

cross checking

subspaces (season, type of day)

vertical, horizontal, similar

comparison

.

Gathering if labeling is available (type and/or point of

measurement)

(11)

21

Definition of normality

• In essence, normality is defined upon the concept of

similarity

Similarity is quantified through suitable metrics.

Comparison is made among elements that have shown to be

similar or should be similar: must be made in a subset.

Different criteria to define subset allows to implement

independent crossed detections:

Instant

snapshot

of the whole (and/or subsetset) respect to

“similar instants”

Each detector, respect to itself in “similar moments” (for

instance, daily pattern)

Among “similar detector” (for instance, domestic

consumption, industrial consumption).

Clustering (“similar measurement points”)

(12)

23 IREC I: Electrical data

• ~20 min

• Time resolution: secondly • 300 RTU’s

• Simulated, one set with anomaly

• PCA • No periodicity

• Continuity in reduced space

t

“Horizontal” (each point represents one instant)

V-detector train and test (Zhou Ji, Dipankar Dasgupta)

Applied examples

24

A Network Intrusion Detection System (NIDS)

identifies attacks by monitoring the traffic over

a network

16-Sep-2015

WP7 General Meeting- Rome 24

10.40.0.255 10.20.0.0/16 10.30.0.255 10.30.0.0/16 10.40.0.0/1 6 10.20.0.255 10.20.0.254 10.40.0.254 10.10.0.1 10.10.0.2 10.10.0.0/16 10.10.0.255 PLC RTU network sniffer network

sniffer networknetworksniffersniffer

(13)

25

Indicators of compromise (IoC)

Some examples:

Modbus provides (not commonly used) diagnostic

functions that are able to reset a device registry

IOC: monitor the presence of function code 08 to check

for the presence of an attacker trying to change a device behavior

Goose has sequential value for the field StNum

IOC: monitor non-sequential value for StNum field that might indicate the presence of a spoofing attack

DNP3 provides the DFC flag that, if set to 1, indicates a device is busy, hence the master will not communicate with it.

• IOC: monitor high frequency of DFC=1 which might

indicate the presence of a DOS attack

Project

outcome

(14)

27Detection and prediction tool based on a dual

approach : low level direct detection and process misbehavior detection

Correlation of events/alarm coming from network, host

and process detection tool to detect and prevent cyber attacks

Laboratory real/Virtual environment based on electricity.

Availabilty of real Scada data on operational plant

Knowledge of operational process.

PREEMPTIVE software prototype

28

Thank You for Your

attention!

Ignasi Cairó

Principal Investigator (IREC)

References

Download now ( PDF - 14 Page - 576.15 KB )

Related documents