Man in the middle attacks on IEC 60870-5-104
-
Upload
pgmaynard -
Category
Technology
-
view
270 -
download
12
description
Transcript of Man in the middle attacks on IEC 60870-5-104
![Page 1: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/1.jpg)
Man in the middle attacks on IEC 60870-5-104
Pete Maynard
@pgmaynard ORCID 0000-0002-6267-7530
![Page 2: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/2.jpg)
2
Introduction
● Pete Maynard● PhD Student● CSIT Queen's University Belfast, UK● Industrial Control System Security● Partnership with PRECYSE
![Page 3: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/3.jpg)
3
What I do
● Attacks on SCADA protocols– Replay, MITM, DoS
● Develop detection and prevention methods ● Anomaly detection via machine learning
![Page 4: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/4.jpg)
4
PRECYSE
● European FP7 Project● Prevention, protection and REaction to CYber
attackS to critical infrastructurEs● LINZ STROM GmbH (Electrical Distribution
Operator)
![Page 5: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/5.jpg)
5
Talk Overview
● What's SCADA Used for● SCADA Threats● Introduction IEC 104● Attacking IEC 104
![Page 6: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/6.jpg)
6
What's SCADA Used for?
![Page 7: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/7.jpg)
7
How is SCADA used
● MODBUS, DNP3, IEC104, 61850, Profibus …
[1] S. Mohagheghi, J. Stoupis, and Z. Wang. Communication protocols and networks for powersystems-current status and future trends. In Power Systems Conference and Exposition,2009. PSCE ’09. IEEE/PES, pages 1–9, March 2009.
[1]
![Page 8: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/8.jpg)
8
What does it do?
● Telemetry control● Change Settings ● Read/Write/Delete
files and directories● Update firmware
![Page 9: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/9.jpg)
9
SCADA Threats
![Page 10: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/10.jpg)
10
Attack Levels
Level Example
1 Accident Misconfigured, Firmware Update
2 Novice Script kiddie, port scanning
3 Experienced Replay attack, basic knowledge
4 Advanced Stuxnet, ICS domain knowledge
![Page 11: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/11.jpg)
11
Threats
● Havex Malware● OPC to scan for SCADA devices● Reports back to command and control server● Recently detected July 2014
– European ICS
– Team Since 2011
● State sponsored?
![Page 12: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/12.jpg)
12
Scanning for SCADA devices
● Readily available scanners– SCADA StrangeLove[1]
● Simple Python Script ● Return Device name,
IP, software version
[1] https://github.com/atimorin/scada-tools
![Page 13: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/13.jpg)
13
SCADA Fuzzers
● Protocol Fuzzers● Project Robus[1]
– DNP3
– Identified many vulnerabilities
● Fuzzing can kill
[1] http://www.automatak.com/robus/
![Page 14: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/14.jpg)
14
Protocol Analysers
![Page 15: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/15.jpg)
15
Introduction IEC 104
![Page 16: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/16.jpg)
16
Introduction IEC 60870-5-104
● International Electrotechnical Commission (IEC)
● IEC 60870 developed periodically between the years 1988 and 2000
● 6 Main Parts and four companion sections● Open Standard● 60870-5-104 defines transmission over
TCP/IP
![Page 17: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/17.jpg)
17
IEC 60870-5-104 Security Issues
● Ported from serial links to TCP/IP● No authentication● No encryption● Uses IP address white-list
– Defined on the slave
● TLS encryption recommended – In practice not implemented
![Page 18: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/18.jpg)
18
104 Payload
ASDU
![Page 19: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/19.jpg)
19
Attacking IEC 104
![Page 20: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/20.jpg)
20
Capturing Packets
● SPAN Port● DNS Poisoning● Content Addressable Memory (CAM) table
overflow● ARP Spoofing
![Page 21: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/21.jpg)
21
Replay Attack● Novice level attack● Capture and replay packets
– Command, readings, alerts...
● Replayed packets dropped by kernel● Tcpreplay alternatives to modify SEQ values
![Page 22: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/22.jpg)
22
Man In the Middle Attack
● Intercept communications between two or more devices
● Modify and inject packets● Many tools available
– ettercap
– cain and abel
– DSniff
![Page 23: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/23.jpg)
23
104 MITM Lab Experiment
● Modify Cause of transmission (CoT) field● Intercept and set an invalid CoT value● Detection with SNORT
![Page 24: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/24.jpg)
24
Cause of Transmission
● CoT values can use the following number ranges: – 1-13 and 20-41 – 14-19 and 42-43 are reserved for future use.
![Page 25: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/25.jpg)
25
Before and After Capture
Before
After
![Page 26: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/26.jpg)
26
SNORT Alert
[**] [1:6666617:1] 17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field [**][Classification: Potentially Bad Traffic] [Priority: 2] 09/09-14:06:10.462288 10.50.50.105:40734 -> 10.50.50.75:22TCP TTL:64 TOS:0x0 ID:60033 IpLen:20 DgmLen:60 DF******S* Seq: 0x9A0C38A1 Ack: 0x0 Win: 0x3908 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 1382076960 0 NOP WS: 7
alert tcp $104_CLIENT any -> $104_SERVER $104_PORTS (flow: established; content:"|68|"; offset:0; depth:1; pcre:"/[\S\s]{5}(\x2D|\x2E|\x2F|\x30|\x64|\x65)/iAR"; content:!"|06|"; offset: 8; depth: 1; msg:"17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field"; classtype:bad-unknown; sid:6666617; rev:1; priority:2;)
Rule
Alert
![Page 27: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/27.jpg)
27
Earth Fault
● Real world situation where an earth fault in the physical electrical grid occurs
![Page 28: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/28.jpg)
28
Linz Test-bed
![Page 29: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/29.jpg)
29
Operator View
![Page 30: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/30.jpg)
30
104 MIM TestBed Environment
● Intercept value, so operators unable to view fault
● 104's Information Objects, M_SP_TB_1 stores the 'ON/OFF' value
● First bit of the SIQ is the SPI field, storing the ON/OFF value.
![Page 31: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/31.jpg)
31
ON/OFF Value Modification
Before
After
![Page 32: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/32.jpg)
32
Conclusion
● Attackers with varying skill levels can compromise SCADA systems– Man-In-The-Middle attacks hiding an earth fault
● New implementations of ICS need to take precautions
● Monitor logs, network, everything● Enable attack mitigations
![Page 33: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/33.jpg)
33
Future Work
● Identify features of the IEC104 protocol for anomaly detection
● Propose to develop an Anomaly Detection module for the IEC104 protocol– Detect similar network attacks
● Work on MITM attack for IEC 61850
![Page 34: Man in the middle attacks on IEC 60870-5-104](https://reader034.fdocuments.us/reader034/viewer/2022042502/5480b611b4af9fb9158b5e7d/html5/thumbnails/34.jpg)
34
Questions