Saturday, September 19, 2015

Low cost SCADA Assessment: First internal approach

Best things in life are for free. That's what they say and sometimes I agree.
I read a post from EduHacker talking about Google fusion tables and it network graph functionality, so I decided give it a try.
I always try to quickly draw the traffic matrix from the network we are assessing since bandwidth between eyes and brain is the biggest you can get, and frankly most of the times I need it.

As ICS engineers we always use passive methods to assess through mirroring network traffic on switches. (By the way, this is a risky business since you have to be completely sure switch is not going to restart by configuring that).
Once you have your mirror port you can then plug your laptop and begin gathering IP traffic. It is amazing what you can get in a few minutes.

I took one ten minutes pcap file from one of our last OASyS SCADA assessments and follow the instructions from the post I read.
First of all you have to convert your pcap file to comma separated values (CSV) to import it in a Google fusion table.
To do this I made a quick and dirty csh script (I know, but I am a classic sir):

#!/bin/csh -f
###########################################################
#
# (c) 2015 - Kaostopper
#
# pcap_to_csv.csh: Quick and dirty way of getting a CSV file
#                  from a pcap file
#
#
# Enrique Martin Garcia
#
###########################################################

if ( $#argv != 1 ) then
  echo "Usaage: $0 pcap_file"
  exit 1
endif

set fichero_pcap = "$1"
set TSHARK = /usr/local/bin/tshark
echo "src_ip,src_port,dst_ip,dst_port,ip_proto"

$TSHARK -n -r $fichero_pcap -T fields -E separator=, -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e _ws.col.Protocol | grep -v ",," | sort -u
$TSHARK -n -r $fichero_pcap -T fields -E separator=, -e ip.src -e udp.srcport -e ip.dst -e udp.dstport -e _ws.col.Protocol | grep -v ",," | sort -u

exit 0

You can use any other way to convert your pcap files and you can choose any other fields, of course.
You have to be careful after uploading your CSV file to a fusion table since it is necessary to fix the type of value for your src_ip and dst_ip columns to text.
To do so, you have to click on the column header to access the change option:


You have to fix the type to text on those columns (src_ip and dst_ip)


With those two changes done, you can create your network graph:



As you can see, it was easy to detect a big misconfiguration in the Operation Workstation that was trying to connect to Google DNS servers. (8.8.8.8 and 8.8.4.4). This came from a temporary movement of this station due to civil works on the control room, but .....

You can play a lot with the other different types of graph, but this one is very easy to get and you don't need any other tool.

Beware with the data you upload and do like me: I have changed everything on the CSV file except public Google addresses and the SCADA System name.

No more excuses to update a very simple but useful network diagram for your SCADA Network.

Posted by at

Saturday, September 12, 2015

Cyber physical attacks to critical infrastructure (Part I: Critical Infrastructure Systems domain)

Is it just another commercial trick from ICS Cyber Security sector or something to take care about ?

From the Aurora experiment cyber attack on a power generator in 2007, which was intended to demonstrate the ability to produce physical damage to assets remotely, to this day, this type of attack has materialized twice. (As far as we know).

The first cyber-physical attack in history detected, documented and widely known in the field of industrial cyber security professionals was STUXNET (2010), which marked the beginning of the development of this discipline and most standards for critical infrastructure, as it demonstrated the enormous destructive power of malware aimed at the destruction of the uranium enrichment centrifuges that Iran would use in its production of nuclear weapons.

The second cyber attack with physical consequences occurred recently (end of 2014) in a German steel plant, in which a cyber attack triggered after accessing control network from the business network, did not allow a graceful shutdown for a blast furnace, although the details and effects thereof have not been studied with the same detail as in the case of STUXNET.

In 2015 the interest on such attacks focus in altering the physical behavior of the environment through cyber attacks has increased through experiments carried out on cars, medical instruments and numerous automation devices connected to the Internet.

In the last Black Hat 2015 USA and DEF CON 23, there were very interesting presentations about these Cyber Physical Attacks from Marina Krotofil and Jason Larsen describing many of them.


This post, and the next ones, studies the higher impact (and therefore riskier) attacks on cyber-physical systems in critical infrastructure control networks and propose protection by making some changes on organizations structures and procedures and new technologies of intrusion detection based on analysis behavior of control protocols and correlation of operational events.


Critical sector and critical infrastructure


To put into context the domain to protect from such attacks, we describe the characteristics considered critical infrastructure in Europe and in Spain.
In January 2009 it came into effect Directive 2008/114 / EC of the Council of the European Union which established the need to identify Europe's critical infrastructures in order to design strategies to protect them.
In this Directive the need to identify infrastructure sectors of energy and transport, leaving open the possibility that all member states identify additional critical sectors.

As of December 2014 the European Agency for Network Security and Information Agency (ENISA) published a guide for the identification of critical assets.
This guide showed critical sectors  already identified by the member countries of the Union and can be seen in the following table:
Spain has identified twelve critical sectors:
  • Energy (With three subsectors: Electricity, Oil and Gas)
  • Nuclear
  • Economics (Finance and Tax Administration)
  • Water
  • Transportation (With three subsectors: air, sea and land)
  • Food
  • Information Technologies and Communications
  • Chemical
  • Health
  • Space
  • Public administration
  • Research

In each of these sectors they have been appointed or will be appointed in the near future, a set of Critical Operators (OC), which are those owners or operators of infrastructures which provide essential services and whose attack could lead to damages broad sectors of the population. This set of infrastructures will shape our domain to protect and share a number of common technical characteristics.

Technical characteristics. 


 Many classified as critical infrastructure have a hybrid architecture in which there are networks of classical information technology (IT Network) and industrial control networks (OT Network) managing the elements that interact with the physical environment (cyber-physical systems). A basic scheme of this type of infrastructure could be the following:
  
Cyber-physical systems control a particular process and are managed by network systems, operate according to the following basic scheme:


The sensors measure the current process values on fixed intervals and send them to the control units assessing the need to seek concrete solutions to the actuators orders that the process remains within the values for which it was created and behave according to the original design.

Today all this traffic control has been migrating to TCP networks and conventional operating systems, which has made no earlier existing attack surfaces appear.

The key characteristics of the OT networks can be summarized as follows:
  • Less number of devices and services than IT networks. 
  • They should never be directly connected to Internet. 
  • Execute repetitive operations between its nodes and systems.
  • Very sensitive to delays or communication problems.


But these classes of networks also have strong weakness as:
  • Use insecure or unauthenticated protocols. 
  • Often not segmented logically or physically. 
  • No possibility of installing third party software on some systems. 
  • No possibility of patching or update certain systems

These features and constraints make protection of such critical networks very special and, as discussed below, using specific strategies and technologies for this type of environment.

 In the next post we will dive on that.



Posted by at
Labels: , , ,

Friday, September 11, 2015

Cyber physical attacks to critical infrastructure (Part II: Attack and defense)


Although the number and nature of cyber attacks on control systems that could have effects on the physical environment is very broad, we will only consider those that have been studied by various stakeholders in the industrial Cyber Security.

In particular, recent studies define the following categories depending on the purpose of physical cyber attack:
  • Damage to equipment 
  • Damage to Production 
  • Deterioration of compliance
Let’s see each of them in detail:

Damage to equipment


 Such cyber attacks are intended to produce permanent failures and breakdowns industrial equipment interacting with the physical environment. In particular, attacks have been studied on the following elements:

  • Pipes and pipelines: The valve opening and closing quickly, and sometimes coordinated, is capable of causing a physical phenomenon called "water hammer" consisting of an increase in pressure inside the pipe can be higher than the structural strength thereof, causing breakage and subsequent discharge of fluid (liquid or gas) to drive.
  • Tanks: In many cases Tanks are designed to withstand very high internal pressures, but at very low internal pressure (or vacuum), collapse. Sudden changes in the temperature inside a tank can lead to abrupt changes in internal pressure, which could eventually collapse it.
  • Generators: As demonstrated in the Aurora experiment, opening and closing off phase switches from a generator connected to an electrical substation produce kinetic effects that just physically breaking it.
  • Engines: Stuxnet cyber attack in the last phase tended to accelerate the engines of uranium centrifuges for long periods of time causing material fatigue and subsequent failure.
  • Chemical Reactors: The most common chemical reactions typically occur at high temperatures, so a change in the conditions of reaction control may be associated with a significant increase in temperature would cause thermal damage to the reactor structure, reaching its total destruction.


It is also possible to combine two or more of these attacks each other, so that the power loss is associated with a loss of control of some element or its inlet in an unstable operating condition.
Although we have been considering these as attacks, there are historical examples on great industrial accidents caused by abnormal functions in control systems.
The following points will demonstrate how these detection technologies can help on detecting some operational failures that could lead to serious industrial accidents as well.

Damage to Production


The purpose of this type of cyber attacks to the process is altering the financial results of the organization that operates such processes. Among them they have been studied the following:

  • Decrease the amount of final product: By changing certain variables control the process at specific points, you can alter the amount of product obtained. A clear example of this is built on the production of vinyl acetate monomer [7] Black Hat in Las Vegas in August 2015.
  • Decrease in product purity: If the alterations made to the process control variables do change the purity of the final product, you can produce a significant devaluation of the same. A concrete example is the Paracetamol, whose purity can alter the price by several orders of magnitude.
  • Increase in operating and maintenance costs: Cyber ​​attacks can cause alarm processes intentionally to force recalibration of the field elements as often as desired attackers, thereby increasing the costs of the targeted organization. Moreover, repeated attacks on processes with different values ​​is one of the most common practices of hiding them, because that way the suspicions maintenance teams move the organization.

Deterioration of compliance


 Legal and regulatory frameworks to be met by organizations, makes certain commitments made by them can have very significant penalties for breach thereof. Among this kind of commitment we can find the following:
  • Safety regulations: Altering a security parameter of the industrial plant may entail a violation of any rules of physical security which in turn is liable to a major fine if inspection.
  • Impact on the environment: discharges into rivers or waste production values of certain compounds above the permissible threshold are punished with significant financial penalties.
  • Contractual breaches: The purity or quantity alteration of the product can make certain clauses of the contracts do not meet preventing accorded billing and causing significant economic losses to the organization.
All these cyber attacks studied in the past year, have a number of common characteristics:

  • Semantic attacks: They are necessary depth knowledge of the environment, the process and the variables to be altered to produce the desired effects.
  • Targeted to the control network: Using "legitimate” users and systems, over unauthenticated control protocols and "valid" commands, and executed with appropriate permissions.
  • Conducted by multidisciplinary teams: Composed by an IT team (Network and Systems), an OT team (SCADA) and process engineers (of the attacked sector)
  • In view of the nature of cyber-physical and processes attacks, and the above on the technical characteristics of the control networks, critical infrastructure protection presents a number of problems that can only be addressed using the solutions that describe the next point.

 It might seem that this type of attack is too complicated or exceptional to take into account in our risk analysis, but do not forget that:

  1. They are targeted attacks intended to cause physical damage and could be executed or sponsored by state organizations.
  2. Already they materialized before and were not mere theoretical laboratory studies.
  3. In both cases the cyber attack had an external source to the facilities attacked even when isolated from the Internet is assumed. (The average number of connections found in control networks assessment is 11)
  4. The success of these attacks could endanger human lives.
  5. The PIC 8/2011 of Critical Infrastructure Protection Act explicitly mentions the need to consider in the risk assessment of this type of infrastructure events of very high impact, such as the case of these attacks.

Another common thinking when suppressing these cyber-physical attacks from risk analysis could be considering them covered by safety plans. As showed in the Mogford report after the Texas City refinery accident, there was a lack of preventative maintenance on safety critical systems. So once again, we can not relay on initial conditions to establish the actual security state of infrastructure, we need to assess it on a periodic basis.

Critical Infrastructure Protection


Cyber security is founded on three pillars: people, procedures and technologies. In this case it cannot be otherwise, so these sections formulate a series of recommendations to protect such infrastructure from cyber-physical attacks seen before.

People


As we saw earlier in this note such cyber attacks can only materialize through joint action of experts in different fields (IT Technology, OT technology and Industrial process to attack). It is necessary for critical infrastructure have multidisciplinary teams in their Cyber Security organizations working in a coordinated way in order to protect them.
This is one of the most common problems encountered in implementing the CIP law because the existing inertia in many organizations  the world of control and security have always been in different functional areas and with different officials and budgets.
The awareness of senior management of the infrastructure operator is required to make critical changes needed in the functional organizations to ensure a unique multidisciplinary team responsible for this Cyber Security.

Procedures


It is a priority to establish changes in the procurement procedures of the critical infrastructure operators requiring the inclusion of Cyber security requirements for solutions in automation and control, just as there are for safety on plants. Deploying controls and countermeasures in the control networks without this approach in design will be much more difficult and expensive  
Given the semantic nature of these attacks is necessary expand risk analysis for contemplating processes attacks. As seen above this is only possible with the participation of process control engineers in this activity where Cyber security and safety come to converge. (Hazard / Risk Analysis).

Technologies


For everything mentioned above, the security measures to be taken in such environments must take into account the importance of availability in such control networks. Any measure to be implemented should be as safe as possible in terms of the impact on the process to protect. According to the Department of Industrial CERT Homeland Security, the impact of the various protection technologies to consider when deploying in such networks is as follows:


  
As can be seen, intrusion detection systems are the technology with less impact on industrial control networks.


Within this technology, and considering the significant limitations that exist for installing third party software on the control systems (SCADA Servers, engineering work stations and operating positions or HMI) is indicated selecting NIDS technology (network Intrusion Detection System) since modification of the existing network architecture or reconfiguring any of the systems won’t be necessary.
Posted by at
Labels: , , ,

Thursday, September 10, 2015

Cyber physical attacks to critical infrastructure (Part III: Detection technologies)


Network intrusion detection System (NIDS)


According to the taxonomy of intrusion detection systems defined by Debar and its working group, the most suitable  System is shown in the following figure:




The detection method should not be based on signatures since it should be frequently updated and it does not offer protection against 0-day vulnerabilities, making detection behavior as the most appropriate choice.
The behavior detection should be passive to be as non-intrusive as possible in the network and not interfere with the commands and actions that are exchanged over the network.
Given the importance of the transitions  have been in the control of industrial processes, the NIDS should consider this type of paradigm, and finally should be monitored continuously since these networks are operating in 24x7x365 basis.

Regarding detection technology for behavioral anomalies, there are several alternatives: inspection message headers (headers) detection, inspection message payload (Payload) detection or a combination of both. In the present note we will use the last option as it is the only one capable of detecting this type of semantic attacks and is used by the deep protocol behavior inspection technology we propose as network intrusion detection in critical infrastructure.

 

NIDS based on deep protocol behavior inspection


Once selected detection technology we will explain how to implement it in such environments. Since its operation is based on detecting events that differ from the normal behavior (anomalies), we must first build the pattern (behavioral blueprint).

The construction of this pattern can be performed on a specific-based manner (introducing the topological and operational information network) or unattended using learning-based technology. The first option is rarely useful as the knowledge of low-level details in the implementation of control networks organizations own is in many cases dating back to the FAT (Factory Acceptance Test) or the SAT (Site Acceptance Test), so usually very old information being outdated and not maintained systematically through change management procedures in line with best practices.

Selecting unattended construction method by learning, we must remember that it is very important that this normal behavior pattern is built in an environment as similar as possible to the production environment on which detecting anomalous behavior is performed.

The scheme of operation of this type of intrusion detection sensors is as follows:


Although learning is automatic it must always be adjusted by control engineers who are familiar with the process to eliminate any undesired operation generated by unscheduled interventions once verified by the control personnel. Additionally, in the phase detection such events should be able to be included in the pattern of behavior (Blueprint)  to avoid unwanted alerts (false positives).

The behavioral blueprint obtained after the learning and customization phase includes the following elements:

Control Network Communication profile

At this time the NIDS knows every possible tuple in the control network (traffic matrix):


Src IP,Src   Port -> Dest. IP,Dest Port



From this moment, we can be alerted by:

• New devices on the network
• Devices trying to connect to our network that are not in our Model
• Devices sending information out of our network to devices out of the model.

Protocols, messages and values matrix

In order to detect advanced operation issues or attack to processes we need to use the technology of deep protocol behavior inspection (DPBI), since with this we will know:

·      The control protocols operating in the network
·      Messages that are used within each protocol
·      The distribution of values within each message field of actual network control protocols.

All this information must be organized in a logical manner in order to obtain the pattern of behavior which subsequently compares all messages obtained from the network. The DPBI NIDS is responsible for generating this model during the learning phase using its advanced technology on behavior modelling.

From this point we can start the detection phase and be alerted of any communication diverge from the newly built behavioral blueprint.

Operational Correlation


Despite the power detection technology DPBI control environments, we need to be able to generate alerts to detect cyber attacks on physical process (operations that are within the behavior pattern and executed from the control network stations also found in the pattern.).

A clear example of this would be a kind Aurora attack and run from a SCADA server to transmit orders for opening and closing of switches out of phase to a remote unit (RTU) in a substation, using the IEC 104 protocol.
To detect this cyber attack, we should be able to store all IEC 104 opening and closing aimed at RTU we found in the control network and estimate the time difference on the immediately preceding command sent to the RTU messages.
To do this the network intrusion detector DPBI also be able to provide the functionality described above. (Operational correlation).

In the case of the NIDS DPBI solution for SCADA SCAB (Security Awareness Control Box for SCADA), this correlation is implemented by deploying additional logic (script type program) that makes this correlation.

An example of a function of this script is as follows:

function new_connection_data(conn, data, is_upstream)
    local record = find_flow(conn)
    if record ~= nil then
        record.up_bytes = conn:upstream_num_bytes()
        record.down_bytes = conn:downstream_num_bytes()
        record.up_pkts = conn:upstream_num_pkts()
        record.down_pkts = conn:downstream_num_pkts()
        record.payload_up_bytes = conn:upstream_num_payload_bytes()
        record.payload_down_bytes = conn:downstream_num_payload_bytes()
    end     
end

Future trends: S-IDS


The combination of detection technology based on control protocol behavioral anomalies, together with the operational correlation allows us to detect cyber-physical attacks on critical infrastructure processes, yet are somewhat craft in regard to the implementation operational and temporal correlations.

To solve this problem it is being investigated in new detection technologies that includes this information in the behavioral pattern automatically.
One of this technology is called Sequence-aware Intrusion Detection System and raises a number of novel approaches in generating a behavior pattern, such as control of the order in which messages are sent and received to the Control elements from the servers, the time between state transitions and sending messages and standard deviation of the time.

The block architecture of a system of this type would be:


In the learning phase information from sources model input (control network protocols messages, log file entries and values of the commands of the process) would be collected and would feed the sequencer to maintain timing trace, before passing to process model generator.

As in the case of NIDS DPBI based, once the learning phase is finished would enter in detection mode. First experimental results for SCADA Waters sector have been achieved and work is in progress to decrease false positive rate (FPR) and noise reduction for the detection phase.

This is just one of today research paths on intrusion detection for industrial control system, but still is under development and validation.
Posted by at
Labels: , , , ,
Subscribe to: Posts (Atom)