Method to Counter the threat of Covert Channels in LONWorks-based Industrial Control Systems Igor I. Bezukladnikov Efim L. Kon Perm National Research Polytechnic University Prof.Pozdeeva str. 7 Perm, Russian Federation, 614013 Perm National Research Polytechnic University Prof.Pozdeeva str. 7 Perm, Russian Federation, 614013 corrector@at.pstu.ru ABSTRACT The problem of countering one of most dangerous unconventional information security threats for modern industrial control systems covert channels is considered. A universal method of countering such a threat based on earlier unknown formal condition of existence of covert channels is proposed. An illustration of the method to counter covert channels in a real industrial control system is given. Keywords Information security, Covert channels, ICS, LonWorks 1. INTRODUCTION Rapid growth of various information control systems (ICS) operating in different industries and their increasing complexity make questions associated with their information security assume prominence. Among the least studied and at the same time one of the most dangerous types of malicious for ICS attacks are the attacks through covert channels (CC). In the existing information security standards for such systems specialized measures to directly counter the covered channels are practically non-existent. Conventional generalpurpose countermeasures offered by the standards have no effect on CC functioning. Studies in the field of covert channels as a separate class of information security threats have not been started until recent years and the works on this subject are extremely few. Analytical review carried out disclosed absence of consistent systematic approach to the problem of analysis and countering the covert channels. The known works are unsystematic description of specific implementation variations of covert channel and corresponding to them specific countermeasures, without analysis of their domain of applicability and without attempts to formalize and generalize them. This paper is concerned with description of a universal method of countering covert channels based on destruction of conditions essential for their existence, according to the suggested by the authors formal kel-40@yandex.ru model of covert channel. The method is an integral part of the proposed by the authors general method of building, analyzing and countering the covert channels, including formal model of covert channel, their classification, methods of evaluating the danger and methods of countering the detected dangerous covert channels. More detailed information about the said elements of the general method is presented in earlier publications by the authors [2, 3, 1, 4, 5]. 2. FORMAL MODEL OF COVERT CHANNEL The first step to create formal approach to analyze and counter the covert channels is to create a formal model describing the covert channel as it is. Taking into account that the communications systems on the whole and LonWorks in particular, used in industrial ICSs, can be described by multilevel interaction model ISO OSI a decision was made to use for the original assumption in development of such a model of covert channel the following assertions: Assertion 1. Hidden transformation of information is possible at any level of systems described by multilevel model ISO OSI, when the communication channel resource is underexploited in the open exchange process (Fig.1). Potential presence of underexploited resources discovered at every level of ISO OSI allows to pass on to the search of general solution of building a covert channel invariant to ISO OSI level. Further analysis is based on the following assertion: Assertion 2. The problem of building a covert channel on arbitrary level of ISO OSI is equivalent to the problem of building an information transmission channel under the following basic conditions: • Potentially any underexploited information resource of the corresponding level of seven-level IOS OSI model of general-purpose open net or corresponding levels of the models of specialized-application nets is an informative parameter of the covert channel. • The main problem in building a covert channel is that equivalent to the problem solved by the physical level of the channel (as applied to CC the problem of modulation and demodulation of underexploited resource). Studies carried out by the authors showed that with ac- Speed, bps Underexploited resources of communication channel Resources occupied with legal(open) channel Maximum achievable speed Speed in legal(open) channel Time, sec. Figure 1: A sample black and white graphic (.eps format) that needs to span two columns of text. count of the said conditions it is admissible to use the models of physical level of communication channel to describe the covert channel operating at arbitrary level of ISO OSI. There quite a few models describing functioning of the physical level of a communication channel. Selection of a communication channel model to describe a covert channel is based on the following assertions: Assertion 3. Active countermeasures against the covert channel under conditions of effective information security policy (ESP) are a priori non-existent (according to the definition a covert channel is such when it does not contradict the effective information security policy). , where bi - are the detected states of the resource, |B| ≥ 2, at that; there should exist a matrix of transitions between the states of transmitter and states of information receiver through the covert channel Pa1−b1 · · · Pa1−bk .. .. P (x|y) = ... (3) . . Pan−b1 · · · Pan−bk , where P (x|y) is the probability of receiving symbol by in transmission of symbol ax between participants of hidden n ∑ exchange of information, Pai−bj = 1 for every i = 1..k. j=1 Assertion 4. A covert channel functions under conditions of unintentional random noise which can be represented in the form of white Gaussian noise (the proof is based on assertion 3). 2.1 Covert Channel Existence Conditions The above assertions considered, to describe the physical level of covert channel we suggest to use the discrete communication channel (DCC) model. The proposed model made possible to find earlier unknown formal necessary conditions of existence of covert channel in terms of DCC, its invariant variations: Condition 1. The system should have underexploited resource (UEr) satisfying the following requirements ensuing from CC representation as DCC: UEr modulation requirement: Covert channel information transmitter should have the capacity of forming at least two states of underexploited resource. I.e. there should exist transmitting alphabet A = {a1 , a2 , a3 , ...an } (1) ,where ai is the state of the resource formed by the transmitter, |A| ≥ 2, at that. UEr demodulation requirement: The receiver of hidden information should have the capacity of detecting and recognizing at least two states of underexploited resource. I.e. there should exist a reception alphabet B = {b1 , b2 , b3 , ...bm } (2) Condition 2 (condition of consistency with effective ISP): The hidden channel shall be consistent with information security policy (ISP) effective within the system or the time of its compromise/destruction should exceed the time necessary to carry out the required malicious actions according to the attack scenarios selected. Otherwise the reason of existence of a covert channel is lost, because to conduct an attack through such a channel is impossible because of its discredit/destruction. For the systems with limited resources, a particular case of which are the lower levels of modern industrial ICSs it is expedient to introduce one more condition in the set of necessary ones the condition of consistency with the existing restrictions on software and hardware resources. Such a condition can be formulated as follows: Condition 3 (condition of satisfying resource restrictions): Creation and operation of a covert channel shall not take the system on the whole and its specific components beyond the framework of software and hardware restrictions existing in the system. 2.2 A Method of Countering Covert Channels by Destruction of Necessary Conditions of Existence The mentioned necessary conditions of covert channels existence makes possible to approach the problem of countermeasures against covert channels from the formal standpoint. This becomes possible because failure of any of the above conditions automatically makes the covert channel unrealizable. Thus, on the basis of analysis of necessary conditions it is possible to isolate the following countermeasures based on their failure: 1. Failure of condition 1 (existence of underexploited resource with required characteristics). This can be realized by introduction of additional restrictions denying creation or selection of required states of underexploited resource; this will result in destruction of the covert channel exploiting the corresponding underexploitation type. Note, that the UEr modulation and demodulation requirements can be violated by an alternative method which we failed to find in the earlier known works. The method is based on creating a legal covert channel using for its operation the same underexploitation of the open resource. The fact of transmitting information by such a legal covert channel substantially decreases the underexploitation available for the creator of a malicious covert channel; this deteriorates the performance of such a channel or makes its implementation impossible. In addition, the use by the violator of the same underexploitation inevitably generates a conflict caused by lack of coordination of access to the general resource, and as a consequence to damaged information transmitted both by the covert channel of the violator and by the legal covert channel. This fact can be easily traced and, accordingly used to discredit the malicious covert channel. 2. Violation of one of additional conditions (condition of consistency with effective information security policy, condition of satisfying resource restrictions). This can be achieved by improvement of respective ISP filters and, as a consequence, by decrease of time costs to discredit the malicious covert channel, or by additional filters analyzing parameters necessary to detect the covert channel. For systems with restricted resources it is possible to use the version in which implementation of the covert channel is countered by decreasing software and hardware resources accessible for the violator. E.g. in the case of field level devices (TL1 by multilevel distributed measurement control system (DMCS) considered in[2]) considerable limitation of its hardware resources makes possible to exclude or substantially decrease the probability or essential characteristics of malicious covert channel by introduction of an additional legal problem exploiting to the extent possible all free resources. Note, that the proposed intensifying countermeasures can be used in any possible combination. Consider as an example such a combination countering covert channels in a real system. 2.3 Example of The Proposed Method used in Real Measurement Control System Aircraft engine test automation system (TAS) shown in Fig.2 is designed to measure, record and display basic test parameters to adjust, fine tune and check functional performance Engineering Terminal Antivirus software Personal firewall Log Server Auxiliary Peripherals LAN LAN IDS Firewall Firewall Local Control Network (LCN) TL2 TL1-TL2 Gateway Access monitor (reference monitor) Modbus, LonWorks TL1 to Measurement Sensors TL0 Figure 2: Model of LONWorks-based protected TAS of various aggregates and is a complex information and measurement system. In its operation TAS handles numerous parameters to be measured with wide range of measured analog signals with considerable total intensity. Preliminary analysis carried out by CRAMM v5 methods shows that the main risks which can be realized by software-technical methods and cause the greatest damage are the risks connected with leakage (hereinafter scenario of attack A1) and modification (scenario A2) of measurement data. Further analysis carried out by general method [1], detected three covert channel types1 classified according to [2]: exploiting underexploitation of the information structure resource (class A), time resource (class B), ordering resource (class C). A part of detected covert channel (see Table) is, at that, dangerous2 for respective attack scenarios, and they should be countered. In the general form, as has been noted above, according to the given approach to counter the covert channels suffice is to violate at least one of the necessary and sufficient conditions of its existence. Within the framework of countering the attack by modification of the data (scenario A2) it is suggested to destroy the second necessary condition (consistency with effective ISP) and narrow the vulnerability window to safe limits. We suggest to perform such a narrowing by introduction of algorithms of integrity of transmitted data. In compliance with the existing algorithm the software of existing in TAS reference monitor should, at this, be added the integrity analyzer. The principle of operation of such a protection system is shown in the figure below: It should be noted that implementability in principle of such a protection scheme is 1 All detected covert channels are using underexploitation of Application Layer of LonTalk protocol stack 2 Dangerous are the cover channels whose attack time is not more than the width of vulnerability window 1800 seconds. Such channels are highlighted in table 1 LONWorks node A Access monitor Coder of integrity algorithm Decoder of integrity algorithm LONWorks node B Applied task Applied task Malicious logic Malicious logic Figure 3: Model of LONWorks-based protected TAS determined by the fact that application processor of Neuron Chip performs the available applied tasks separately, and the logic present at the same node has not possibility to substitute input values of network variables received from directly connected sensors. Regretfully, to transmit directly additional information to monitor the integrity by conventional method using the open channel (solid line in Fig. 2) is impossible because additional network variable in the received traffic can be wrongly interpreted by the software performing the function of data collection at the upper TAS level. To modify this software is impossible because of its proprietary nature. In this connection on the basis of proposed universal methods of countermeasures it is suggested to solve these two problems simultaneously, organizing the transmission of control information through the legal covert channel of class C (underexploitation of ordering resource, see classification [2]). The use of the same underexploited resource by the legal channel and potential malicious covert channel (in case of presence of the latter) shall violate the first necessary condition of existence and failure of both organized covert channels and, as a consequence, damage the transmitted control information which can be detected by the reference monitor. In this case the process of control information transmission has no effect on the measurement information transmitted by the open channel, thus, to modify the software at the nodes of TL2 level is not needed. As the only dangerous covert channel relative to attack scenario A1(data leakage) is the covert channel of class C, the proposed version of protection at the same time solves the problem of countering such an attack scenario, disrupting by its functioning the necessary conditions of existence of the illegal channel. As an algorithm of calculating the checksum we suggest to use the well-known and simply realizable even in systems with restricted resources CRC16 algorithm. To simplify the Table 1: Summarized results of analysis of CC danger for attack scenarios A1, A2 for Neuron Chip 3150-based TAS units Time required for successful attack, in seconds Information CC CC CC CC capacity ofA ofC ofB ofB type, type, type, type, of CC alphabetic (CC1) (CC2) (CC3) (CC4) character [log2 (|A|)], bit/symbol Scenario A1 (length of transmitted message - 32768 bytes) 1 28695,6 23244,4 12873,8 5977,1 2 17680,7 15573,7 19310,7 4736,7 3 13912,5 4 13982,1 38621,5 2988,5 6 128738,4 2313,1 9 1716,74 Scenario A2 (length of transmitted message - 4096 bytes) 1 3474,8 2905,5 1609,2 947,1 2 1985,1 1946,7 2413,8 792,1 3 1739,1 4 1747,7 4827,6 573,5 6 16092,3 489,1 9 414,5 data transmission algorithm through the legal covert channel and exclude the shift operation we suggest to use 8 bits per one event of hidden transmission (manipulations with order within the framework of sequence of 6 network variables). The checksums are to be calculated on the basis of one checksum per 2 measurement packages (8 network variables each) of transmitted information. Earlier analysis of resource costs to perform the algorithm of data transmission through covert channel of class C yields the following results for the chosen length of sequence N = 6: • The time to perform the algorithm of legal CC Talg = 4.7ms The obtained value is one order higher than the average time to perform applied tasks in TAS LONWorks node (50 ms) and can be considered unnoticeable against their background. • Memory requirements for legal CC MRAM = 146bytes, read-only memory MROM = 1792bytes Both values do not exceed the threshold of 10% of available resources of the node (2048 and 18432 bytes, respectively) and can also be considered unnoticeable within the framework of chosen hardware basis. Guided by the presented initial data (length of sequence of exchanges N=6, respective information capacity of alphabetic character Isymb = [log2 (6!)] = 9 bit/symb, the used information capacity of the symbol - 8 bit/symb, the length 1. The proposed protection solution makes possible to exclude the necessity of modernizing TL2 level because from the standpoint of such software the proposed solution does not make any changes in the flow of data transmitted through the open channel. Table 2: Evaluation of CC danger with account of countermeasures Conclusion Covert chan- Attack Counterabout nel type time, s measure danger Destruction All CCs of C not dansee Table 1 of conditype gerous tion 1 Narrowing CC of B Wwindow not dantype, Isymb = 1739.1 from 1800 gerous 3bit/symb s to 0.19 s CC of B Same as not dantype, Isymb = 1747.7 above gerous 4bit/symb 2. The proposed solution provides efficient countermeasure to all detected by analysis kinds of covert channels presenting danger for the system by the method of violation of necessary and sufficient conditions: for the covert channel of class C for all attack scenarios by complete destruction of the covert channel of class C, for the covert channels of other classes within the frameworks of scenario A2 by radical decreases of the vulnerability window. 4. of transmitted information sequence LCRC16 = 16bit), it is possible to evaluate the time required to successfully transmit one checksum CRC16 through the legal covert channel3 : TCRC = 2 ∑ Tcoding (xi ) + Tdecoding (xi ) + TCEW T (xi ) (4) i=1 TCRC = 2 ∗ (0.0032 + 0.0047 + 0.091) = 0.19s ,where Tcoding (xi ) is the encoding algorithm delay for symbol xi , Tdecoding (xi ) - decoding algorithm delay for symbol xi , TCEW T (xi ) - covert channel availability4 delay for symbol xi The evaluation performed shows that to transmit one checksum through presented implementation of the legal covert channel takes 0.19 second only. As in compliance with effective ISP upon detection of inconsistency of transmitted checksum and measurement data the TAS reference monitor generates a signal to stop the experiment, this makes possible to narrow the vulnerability window of the system in implementation of the attack according to scenario A2 (modification of transmitted measurement information) before the time necessary to transmit this checksum. To prove the efficiency of proposed countermeasures the danger of detected covert channels was reanalyzed for the TAS under consideration with account of changes made. From the given table (Table 2) it is apparent that implementation of covert channels of type C became impossible because of absence of respective underexploited resource (the ordering resource was used to realize the legal covert channel transmitting CRC16). Decrease of the width of the vulnerability window for attack scenario ′ A2 with WA1 = 1800s to WA1 = 0.19s made possible to transfer the covert channel of class C into the category of non-dangerous bit. 3. CONCLUSIONS So, the analysis performed allows making a conclusion about efficiency of proposed protection solution and its following advantages: 3 According to method described in [4] Delay caused by necessity to wait for suitable conditions for the transmission of selected symbol through the covert channel 4 REFERENCES [1] I. I. Bezukladnikov and E. L. Kon. Covert channels in industrial control systems. In Problems of telecommunication processes and technology: Proceedings of XI International scientific and technical conference, pages 84–89. Kazan, KGTU, November 2011. [2] I. I. Bezukladnikov and E. L. Kon. Problem of covert channels in industrial control and infocommunication networks. Industrial automated control systems and controllers, (7):61–64, 2011. [3] I. I. Bezukladnikov and E. L. Kon. Covert channels in distributed information control systems. Vestnik KGTU im. A.N. Tupoleva, (3):124–131, 2012. [4] I. I. Bezukladnikov and E. L. Kon. Threat risk assessment of covert channels in distributed industrial lonworks-based networks. Neurocomputers:Development and Application, (11):53–58, 2013. [5] N. I. of Standarts and Technology. NIST800-82. Guide to Industrial Control Systems Security. http://csrc.nist.gov/publications/nistpubs/80082/SP800-82-final.pdf/, 2011. [Online; accessed 08-May-2015].