Electronic Security Perimeter Is this system air-gapped? No. But… •it’s fiber optic. •we own the network. •we own the wireless network. Electronic Security Perimeter Is this system air gapped? No. What is this? •Leased line from phone company? •Does the utility sell BW to 3rd parties? Common configuration Control Room Outstation DMZ WWW Enterprise Network Can malware infect the control room or outstation? Yes Control Room Outstation DMZ WWW Enterprise Network Can malware infect the control room or outstation? Yes Control Room Outstation DMZ WWW Enterprise Network What about serial? RS-232/485 Stuxnet Take aways Industrial control system networks are not commonly air gapped, though the control system engineers may think it is. Industrial control systems can be infected by malware. Electronic security perimeter alone is insufficient. Need a defense in depth approach. Network Intrusion Detection for Industrial Control Systems Physical Wireless IDS Not much at this level Physical Network, Transport Detect well known attacks Data Link ○ Tear drop, LAND, port scanning, Ping Common protocol rules ○ TCP, IP, UDP, ICMP Network Application Layer Detect protocol mutations Detect protocol specific DOS attacks Model Based IDS to detect system level attacks ○ measurement injection ○ command injection ○ system state steering Transport Application Short circuit CT CT Relay Relay Router Relay tripped MSU Tommy Morris Transmission Line Network Causal Network Graphs for Intrusion Detection Map power system scenarios to a graph with Nodes representing a set of time ordered measureable events Multiple existing sources of data Unique path through graph for each scenario Classify events real time Causal Network Graphs for Intrusion Detection – Case Study Power system events Over current fault – high current -> open breaker Remote trip – operator remotely opens breaker for maintenance Local trip at face plate – technician trips relay at the face plate Cyber Events - threats command injection attack to remotely trip the relay man-in-the-middle (MITM) attack on synchrophasor system (I=0) man-in-the-middle (MITM) attack on synchrophasor system (I>Itrip) Measureable Events Relay breaker status Energy Management System (EMS) Command from EMS to remote trip Synchrophasor system measurements current measurements (60 samples per second) Snort network signatures detect network message to trip the relay Bayesian Network Graph -> Causal Event Graph PMU@T1 Snort EMS Relay PMU@T2 IH, Sn, RT IN, Sn, RT Breaker open IH IH, Sn, RT Breaker closed IN IH, Sn, RT fault I0 command injection remote trip MITM IPMU>ITrip Causal Event Graph Signatures IH, Sn, RT IN, Sn, RT IN, Sn, RT I0, Sn, RT IH, Sn, RT IN, Sn, RT Breaker open Breaker open Breaker open Breaker closed Breaker closed Breaker open I0 I0 I0 I0 IH I0 1) Fault 2) Command Injection 3) Scheduled Trip 4) MITM 5) MITM 6) Local Trip Attack I=0 Attack I>ITrip Hand mapped the signatures to a custom intrusion detection program. time Laboratory Validation – proof of concept B1 B2 BR2 BR1 L1 G1 R1 R2 L •RTDS Simulation •Implemented each scenario •Data loggers to capture measurements •Offline intrusion detection program •Successful classification of all scenarios Snort Relay logs EMS logs Attack Detection Program Synchrophasor Measurements Future Work Causal Event Graphs Scale to more realistic systems Breaker and half Relay coordination Expanded relaying scheme support Real time IDS Move from Boolean to probabilistic IDS Automate graph to IDS signatures Measure accuracy and computational cost PMU PMU PDC PMU EMS PMU PDC Historian PDC Eng’g Analysis Transmission Line Network PMU *not shown (the 3 circuits above are part of an Syncrophasor System Equipment Phasor Measurement Unit (PMU) Synchronized phasor measurements 1uS synchronization, IEEE 1588, GPS 3-phase voltage phasors, current phasor Phasor Data Concentrator (PDC) Concentrate PMU streams Detect missing data Interpolate for missing data IEEE C37.118 -> IEC 61850 90-5 Snort Rules for Synchrophasor Systems Synchrophasor systems being installed across country by utilities with ARRA grants Improved electric grid visibility ○ Detect disturbances sooner Wide area protection ○ React to disturbances quickly to limit outage IEEE C37.118 - Synchrophasor Network Protocol Need to develop Snort rules to Protect against IEEE C37.118 protocol mutation type attacks Detect reconnaissance, DOS, command injection, and measurement injection attacks Snort Rules for Synchrophasor Systems – Protocol Mutation 2 Frame Type Check Stand-alone SYNC[0]{6:4} != (0, 1, 2, 3, 4) Simple check – is this a legal frame? 10 ConfigFrame: (FORMAT[0]{1} == 0 && FORMAT[0]{0} == 1) && DataFrame: (PHASORS[0:1] (Polar angle) > 31,416) || (PHASORS[0:1] (Polar angle) < -31,416) Does the polar range in the data frame match the description in the configuration frame? 11 Polar Range Multipacket Data Frame size check Multipacket EXPECTED FRAMESIZE != ACTUAL FRAMESIZE Does the frame size match the frame size calculated from examing the configuration frame? Retrofit SNORT Intrusion Detection for Industrial Control Systems control logic MTU tap Set Point System Mode Control Scheme Pump Override Relief Override PID Setpoint PID Gain PID Reset PID Rate PID DB PID CT Output Pump State Relief State Pressure pump relief RTU pipeline Snort •Detect Attacks •Command Injection •Measurement Injection •Reconnaissance •Denial of Service Snort Protocol Rules for MODBUS Reviewed specification and developed a fuzzing framework. Using fuzzing framework to guide rule development. ○ Rules for specific frame types ○ Function codes in frames define payload contents ○ Rules based upon relationships between frames query and response must match ○ Response special cases – exception frames match defined exceptions to query function code and error types Cybersecurity Testing and Risk Assessment for Industrial Control Systems Denial of Service Device Security Assessment Confidentiality, Integrity Known attacks Security features Password confidentiality High volume traffic Standards conformance Password storage Port scan Protocol mutation Vulnerability scan Man-in-themiddle •Many vulnerabilities identified and communicated to vendor and project partner. •All addressed •Firmware fixes •New security features •System architecture changes Critical Infrastructure Protection Center Identify vulnerabilities, implement attacks, investigate impact on physical systems. Develop security solutions; system protection, intrusion detection, attack resilience Train engineers and scientists for control systems security careers. Cyber Security Industrial Control Systems Tommy Morris Asst. Prof. Director, CIPC Industrial Control System Security Uttam Adhikari PHD ECE Power System Cybersecurity Quintin Grice MS ECE Relay Settings Automation Drew Richey MS ECE Ladder logic to Snort Rules David Mudd MS ECE SCADA Virtual Test Bed Read Sprabery BS CPE Power System Cybersecurity Wei Gao PHD ECE SCADA Intrusion Detection Shengyi Pan PHD ECE Power System Cybersecurity Lalita Neti MS ECE Relay Settings Automation Joseph Johnson BS EE Control Systems