05.11.2016

1

Detection of Man-in-the-Middle

Attacks on Industrial Control

Systems

Oliver Eigner, Philipp Kreimel, Paul Tavolato

Industrial Control Systems

Security Issues of Industrial Control Systems

Behavioral Monitoring of Industrial Control Systems

Experimental Setting

Normal System Behavior

Man-in-the-Middle Attacks

Results

Further Work

2

Detection of Man-in-the-Middle Attacks

on Industrial Control Systems

05.11.2016

2

Industrial Control System

3

Situation so far:

Control System Administration System

Strictly separated!

05.11.2016

3

Situation now:

Threats

Opening a system makes it vulnerable

After having gained access an intruder may cause harm

S/he may

o steal data

o modify data

o inject false data

o modify the process

o damage the plant

6

05.11.2016

4

Why Do Conventional IT Security

Measures Not Work with ICS?

Update

risks

Security

Updates

available?Long operating

times lead to

outdated

systems

Proprietary

protocols Special

system needs

Project Idea: Behavioral Analysis

For this talk:

Use a simple testing system

Restrict to Man-in-the-Middle attacks

Observe the behavior of the „clean“ ICS

Define patterns of such normal behavior

Do this by using machine learning algorithms

Execute attacks against the ICS and compare behavior

05.11.2016

5

Test Setup: Conveyor Belt

9

10

05.11.2016

6

Scenario

11

Data Acquisition

12

Near-real-time data from the PLC should be logged

Modbus TCP-Server was implemented on the PLC

All sensor and actuator data was logged

For one process life cycle (app. 2‘ 20‘‘) 2800 log entries wherecollected

05.11.2016

7

Feature Extraction

13

To reduce the dimensionality a set of 32 features was

extracted, such as minimum values, maximum values,

arithmetic means, and standard deviations of the data.

temp_min temp_max temp_stdev temp_avg

20 60 12.8763119 53.3042922

20 60 13.0828626 53.1369836

20 60 12.6685830 53.6036321

20 60 12.6121858 53.6320333

20 60 12.7710237 53.5021791

20 60 13.2449995 53.0458893

Thresholds of Valid Behavior

14

Using Rapid Miner experiments with various algorithmswhere conducted.

Bregman divergence with k=3 showed the best results

k 3 5 7 3 5 7 3 5 7

Example1 0.1555 0.1956 0.2493 0.0535 0.0829 0.1374 0.0273 0.0426 0.0725

Example2 0.1501 0.1991 0.2623 0.0487 0.0865 0.1555 0.0248 0.0446 0.0834

Example3 0.1645 0.2469 0.3479 0.0644 0.1413 0.2740 0.0331 0.0748 0.1566

Example4 0.2074 0.2955 0.2649 0.1024 0.1952 0.3420 0.0535 0.1053 0.2004

Example5 0.1599 0.1883 0.3811 0.0530 0.0733 0.1601 0.0269 0.0375 0.0865

Example6 0.1814 0.2923 0.2321 0.0721 0.1950 0.3140 0.0369 0.1063 0.1809

Example7 0.1193 0.1870 0.2417 0.0283 0.0812 0.1222 0.0143 0.0420 0.0641

Example8 0.1563 0.1903 0.2374 0.0528 0.0769 0.1295 0.0269 0.0394 0.0684

Example9 0.1430 0.1859 0.3160 0.0447 0.0757 0.1258 0.0227 0.0389 0.0661

Example10 0.1386 0.2349 0.4001 0.0400 0.1312 0.2294 0.0202 0.0697 0.1278

Minimum 0.1193 0.1859 0.2321 0.0283 0.0733 0.1222 0.0143 0.0375 0.0641

Maximum 0.2074 0.2955 0.4001 0.1024 0.1952 0.3420 0.0535 0.1063 0.2004

Average 0.1576 0.2216 0.2933 0.0560 0.1139 0.1990 0.0287 0.0601 0.1107

Euclidean DistanceKernel Euclidean

DistanceBregman Divergences

Outlier Statistics

05.11.2016

8

Man-in-the-Middle Attack

15

A Man-in-the-Middle attack was executed against the PLC and

the Modbus client.

The attack was executed using Ettercap and ARP poisoning.

ModbusLogger

EngineeringWorkstation

AttackerPLC HMI

Results

16

The data captured during the attack was compared to the

thresholds defined for normal behavior.

The outlier score was deviated from the values of normal

behavior in such considerable extent that the detection of

the attack was beyond doubt.

Label Outlier Prediction

Average valid

behaviour

valid 0.028 valid

Man-in-the-

Middle attack

unknown 1.231 anomalous

05.11.2016

9

Other Attacks - Results

17

Typ Label Outlier Prediction

Normal behavior valid 0.028 valid

Man-in-the-Middle Attack unknown 1.231 anomalous

DoS Attack PLC unknown 314.727 anomalous

DoS Attack HMI unknown 0.142 valid

Replay Attack unknown 1.032 anomalous

Reprogram heat rate unknown 0.191 anomalous

Reprogram maximum temperature unknown 44.895 anomalous

Modbus read I/O values unknown 0.019 valid

Modbus write coil unknown 0.380 anomalous

Restrictions of the approach

18

The project was carried out in a lab environment

The scenario was rather simple with a limited number of

sensors and actuators

However:

We used up-to-date hardware and firmware – which is not

the case in many real-life ICS.

05.11.2016

10

Conclusion

19

Man-in-the-Middle attacks can be detected by looking for

anomalies.

Necessary are patterns of normal behavior of the ICS.

These patterns can be derived using machine learning.

Results are clear enough to make the process a candidate

for use in real scenarios.

Further Work

20

Extend the project to other types of attacks, such as

denial of service attacks, false data injections, replay

attacks, and others

Try to use the machine learning on data from real ICS

Apply the procedure to real ICS

05.11.2016

11

21

Oliver Eigner, Philipp Kreimel, Paul Tavolato