On Intrusion Detection Systems utilising Stateful Packet Analysis Detection, Security Information and Event Management Systems and Honeypots for IEC 60870-5 SCADA Networks Daniel de Jager 909903994
TABLE OF CONTENTS
TABLE OF CONTENTS .................................................................................................. 2 LIST OF TABLES ........................................................................................................... 2 1. Introduction ............................................................................................................. 4 2. SECTION 1: SCADA, IEC 60870-5-104 and Weaknesses ..................................... 5 2.1
System Control and Data Acquisition (SCADA) Systems ................................ 5
2.2 2.3
SCADA IEC 60870-5 Protocol............................................................................ 6 SCADA System Security Objectives .................................................................. 7
2.3.1
Secure Time Provision .................................................................................... 8
2.3.2
Availability ....................................................................................................... 8
2.3.3
Integrity ........................................................................................................... 8
2.3.4
Confidentiality ................................................................................................. 9
2.3.5
Common SCADA Technical Vulnerability Points .......................................... 9
SECTION 2: Intrusion Detection Systems ................................................................. 10 1. Background ........................................................................................................... 10 2. Finite State Machines ........................................................................................... 11 3. Honeypots ............................................................................................................. 12 4. SCADA Security Information and Event Management Systems ....................... 13 4.1
Attack Trees ..................................................................................................... 14
Conclusions and Future Work ................................................................................... 17 References ................................................................................................................... 18
LIST OF TABLES Table 1 IEC 60870-5 Protocol Stack ............................................................................... 7 Table 2 Taxonomy of Attacks against SCADA Systems (Zhu, Joseph & Sastry, 2011) 10 Page 2 of 19
Table 3 Attack Tree Summary Report Source: Byres et al. (2004) ............................... 16
LIST OF FIGURES Figure 1 Generic SCADA IEC 60870-5 Architecture, Source: CSIT (2016) .................... 6 Figure 2 Finite State Machine Diagram ......................................................................... 11 Figure 3 Finite State Diagram of IEC 60870-5-104 Source: Yang et al. (2014) ............. 12 Figure 4 Attack Tree Example for a Hypothetical System Source: (Ray, Poolsapassit, 2005) ............................................................................................................................. 14 Figure 5 Attack Tree on Water Turbine Source: Coppolino et al. (2012) ....................... 15
Page 3 of 19
1.
Introduction
System Control and Data Acquisition (SCADA) systems security is a still developing area of research within the Critical Information Infrastructure Protection domain. Circumvention of existing security controls and unauthorized use of Critical Information Infrastructure Systems can endanger human life and is therefore crucial to secure these systems.
This paper is focused on the utilization of Intrusion Detection mechanisms with a specific focus on three technologies and methodologies for each, since we argue that technology alone is not enough to be able to detect intrusions, and is divided into two sections.
It must be noted that Policy Frameworks, which addresses standards and procedures do form an essential part of Intrusion Detection and Incident Handling are extremely important, but have been excluded from this paper.
Section 1 deals with SCADA in general and gives the reader an overview of the importance of the protection of SCADA systems, the IEC 60870-5-104 protocol that is commonly used in Europe, and highlights security objectives and common weaknesses that are provided in the literature.
Section 2 describes Intrusion Detection Systems (IDS), Honeypots and Security Information and Event Management Systems (SIEM), with the focus on methodology. Finite State Machines are discussed in the context of IDS, honeypot approaches and then attack trees in the context of SIEM Technology.
The paper is then concluded with an overview of the discussion points, and areas for further research.
Page 4 of 19
2.
SECTION 1: SCADA, IEC 60870-5-104 and Weaknesses
2.1
System Control and Data Acquisition (SCADA) Systems
Automation of Industrial Control activities saves the cost of time and labour, and is a requirement for complex industrial systems which forms an integral part of the Critical Information Infrastructure of industry as well as a nation state. For this reason System Control and Data Acquisition Systems (SCADA) has been developed to collect data about industrial process activities as well as control those industrial processes, physically or logically, through the use of communication infrastructure (Bipul, 2016).
Key Vendors in the SCADA market includes companies such as ABB, Emerson Electric, Schneider Electric and Siemens, with a few other prominent companies such as Rockwell with market revenue estimated to reach at least US $11.6 billion by 2020 (Markets and Markets, 2014).
Not only is there a considerable expectation of market revenue, but Cloud computing is today a reality of SCADA Implementations, potentially giving rise to the next generation SCADA Systems in terms of architecture. However, this might also introduce the full spectrum of Cyber Security concerns for SCADA System deployments (Wood, 2015).
It is therefore necessary to monitor SCADA systems to ensure normal operations, including the integrity, availability and confidentiality of information collected, of control telemetry.
In the next section an overview is presented of the IEC 60870-5 Protocol, which is used for SCADA communications, mostly in Europe, after which Intrusion Detection is discussed within the context of IEC 60870-5.
Page 5 of 19
2.2
SCADA IEC 60870-5 Protocol
Figure 1, as presented by CSIT (2016), shows a generic architecture of a SCADA implementation which consists of a Control Center, manned by personnel to configure and monitor Stations which in turn connects to Bay’s and the Physical Level, using the IEC 60870-5 protocol, an open standard for telemetry transfer for SCADA systems. The “-5” (dash 5) designation indicates Part 5 of IEC 60870, which includes Transmission Protocols, Link Transmission Procedures, Structure of Application Data, Definitions of Application Information Elements and lastly Basic Application Functions (Clarke, Reynders, Wright, 2004).
Figure 1 Generic SCADA IEC 60870-5 Architecture, Source: CSIT (2016)
Page 6 of 19
IEC 60870-5-104 is a modern version of a transport protocol used in SCADA networks that support TCP/IP as opposed to serial communications in IEC 60870-101. Clarke et al. (2004) depicts the protocol stack for IEC 60870-104 in Table 1.
The IEC 60870-5 protocol stack extends the Open Systems Interconnect (OSI) Model by one additional high level stack called the User Process Stack which is required for Tele Control Operations such as Station Initialization and Clock Synchronization, event counts and file transfers. These commands are then encapsulated in the Application Layer in the form of an Application Service Data Unit (ASDU). The ASDU packet is important to note, since this understanding of the protocol stack is used to develop finite state machines, discussed in Section 2.
Layer User Process Application Transport Network Link Physical
Source Selections IEC 60870-5-101 Application Functions IEC 60870-5-101 ASDU’s and Application Information Elements TCP/IP Transport and Network Protocol Suite
Table 1 IEC 60870-5 Protocol Stack
Based on the format and information presented in the protocol stack, it becomes possible to perform packet analysis in order to detect potential intrusions. Using a whitelist method, we will describe the results of experiments performed by researchers at the Center of Secure Information Technologies in Section 2 of this paper.
2.3
SCADA System Security Objectives
SCADA) Security objectives are not unlike any other Critical IT System. Zhu, Joseph & Sastry (2011) lists the following security objectives:
Secure Time Provision
Availability
Page 7 of 19
Integrity o Field Device to Programmable Logical Controller (PLC) Message Authenticity o PLC to Human Machine Interface (HMI) Message Authenticity
Confidentiality
2.3.1 Secure Time Provision
Real-Time SCADA systems are required in complex and critical industrial processes because the information analysed from physical devices are other components are used as input for decision making, either by human or intelligent components within the SCADA system. Time, therefore can be classified as an asset in a SCADA system and needs to be secured. Time can then be used as one of the variables to be analysed by Intrusion Detection Systems, especially when transitions occur in a finite state machine model, in order to establish if a possible intrusion has occurred.
2.3.2 Availability
As with Secure Time Provision, Availability is a key security requirement. It might be possible to stop field devices, Programmable Login Controllers (PLC) or Intelligent Electronic Devices (IED) and other system components within a SCADA network accidentally or intentionally. Intrusion Detection Systems must be able to determine if both cases is about to occur, or has occurred. In this context, using Security Information and Event Management (SIEM) technology will be able to detect if those events have occurred, and IDS sensors will be able to detect if a Denial of Service is underway.
2.3.3 Integrity Illegal instructions sent to PLC’s as well as field devices must not be allowed since this threatens the systems capability to function correctly and might lead to physical damage that can equate to life threatening situations. IDS technology will be able to use Page 8 of 19
whitelisting of frame data on layer 2, to be able to detect or prevent illegal content from being transmitted.
2.3.4 Confidentiality
Confidentiality is normally enforced through encryption, a very effective control. However, IEC 60870-5-104 transmits data in clear text. Zhu et al. (2011) describes the fact that side channel attacks are a risk factor for SCADA systems by observing system behaviour such as power consumption, algorithm usage, measuring time values in the system.
Side Channel attacks are normally classified as being active or passive. Active attacks include changing the system to behave outside its normal behaviour. Intrusion Detection in conjunction with SIEM can provide insight into normal system behaviour and abnormal system behaviour.
Zhu et al. (2011) further describes taxonomy for common security weaknesses or vulnerability points in SCADA systems which are summarized in table 2 below.
2.3.5 Common SCADA Technical Vulnerability Points
Common Weaknesses
Implementation Weaknesses
Network Weaknesses
Doorknob Rattling
Default Configurations
Unauthorised Remote Memory Dump Unauthorised Remote Memory Patching Unauthorised Remote Function Calls Unauthorised Remote Calls
Cinderella Attacks
Transport Layer Weaknesses SYN Flood Attacks
Page 9 of 19
Protocol Layer Design Weaknesses Weaknesses Unauthorised Monolithic Read and Kernels without Writes privilege segregation Information Gathering
Communication Event Counter Clearing Listen Only Mode Attacks
Denial of Service Buffer Overflows SQL Injection
Zombie Scans
Log Cleaning
Smurfing
Unauthorised Remote Sensor Resetting and Reconfiguration
ARP Spoofing Chain Attacks
Input Validation Flaws Output Validation Flaws Table 2 Taxonomy of Attacks against SCADA Systems (Zhu, Joseph & Sastry, 2011)
It must be noted, that in order to have an effective intrusion detection capability, that the above common weaknesses must be monitored on a 24 by 7 basis. Section 2 will discuss the concepts of Intrusion Detection.
SECTION 2: Intrusion Detection Systems 1.
Background
Intrusion Detection (ID), Intrusion Detection Systems (IDS), ID techniques and practices are a sub-domain of Digital Forensics. IDS Services can either be classified as being proactive or reactive. They normally include a collection of technologies, deployed in strategic areas of an Information Technology Network.
These technologies include Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS), which can be host based on network based depending on the use cases or abuse cases identified, honeypots, which are used to detect intrusions and collect valuable pro-active intelligence, in the form of Indicators of Compromise (IOC) in order to harden perimeter and host defenses, and network taps or log management systems, which collect a vast amount of system log files, which is later mined using advanced algorithms, in order to detect potential anomalies.
Page 10 of 19
Lastly, Intrusion Detection also includes techniques and practices such as statistical analysis and behavioral analysis used in conjunction with asset models to add, out of the norm detection capabilities (Wang, Kissel, 2015).
2.
Finite State Machines
Finite State Machines (FTMs) are used to model specific system behaviour and is used in digital circuit designs, software systems and network devices. FTMs consist of states and transitions. States can receive inputs which results in a transition to a new state (Bustamente, 2004).
Figure 2 below shows a conceptual FSM where S represents the different states and T, the transitions between states.
T1 S2
S1
T2
T4
T3 Sn
S3
Figure 2 Finite State Machine Diagram
Yang, McLaughlin, Sezer, Yuan, Huang, (2014), developed a prototype IDS based on the behaviour of the IEC 60870-5-104 protocol. This achieves two concepts. Firstly, to be able to identify normal protocol behaviour, and as a result, the second concept, to be able to identify misbehavior, that is configured based on alarms.
This is known as a whitelist approach to detection, in that known good system behaviour is configured upfront, which will then lead to less false positives. The finite state diagram of Yang et al. (2014) for IEC 60870-5-104 is shown in Figure 3.
Page 11 of 19
The results of experimentation with known malicious traffic capture files, also known as pcap files, as well as legitimate traffic capture files, was a 100% detection rate, and no false positives where identified. It therefore makes sense that the logic can be applied to both host as well as network based intrusion detection systems.
Inherently, this means that all network, transport and protocol related attacks, as depicted in Section 2.3.5, Table 2, using a whitelist approach by finite state machine, can be effectively detected. However, Information Security Policy must drive secure configurations and other weaknesses. The downside to the finite state machine is that it needs to be changed if any significant changes are made to the IEC 60870-5-104 protocol, which is costly.
Figure 3 Finite State Diagram of IEC 60870-5-104 Source: Yang et al. (2014)
3.
Honeypots
Honeypots emulate the network layer and application layer of the OSI model. They have different interaction levels from low to high depending on the use case. The information Page 12 of 19
gained from honeypot analysis becomes a valuable source of intelligence to improve an organisations defensive capability.
Ramachandruni and Poornachandran (2015) mention some key benefits of honeypots in SCADA networks. They argue that there is a lack of research on IDS and Firewalling for SCADA, and that honeypots are unique in the manner in which intelligence can be derived in order to improve firewalling and IDS systems for SCADA.
However, some results from experimentation with low-interaction honeypots are disappointing. Serbanescu, Obermeier and Yu (2015) only received Shodan connections to their cloud-based honeynet, and research based connections from other peers. No adversarial connections where established on the exposed IEC 60870-5-104 and other SCADA specific protocols.
The issue with using standard honeypots is that adversaries have the ability to detect honeypots and are unlikely to disclose valuable zero-day patterns. In light of this, Redwood, Lawrence, and Bermester (2015) developed a symbolic honeynet framework that was not easily fingerprintable.
The results of the experiment provided decent events for analysis, attack introspection from the application layer to the physical layer of the SCADA system, and lastly forensic replays where collected. The forensic replays collected during the experimentation can then be fed into IDS in order to determine if the finite state model is functioning or not. No results have been provided for integration of forensic replays, one of the critiques of the experiment.
4.
SCADA Security Information and Event Management Systems
Security Information and Event Management Systems (SIEM) are systems which receive log information from data sources, and aggregates events to provide an overview of the events which have occurred on a network. They can be used to monitor security as well Page 13 of 19
as non-security events in the context of a Security Operations Center (SOC) or as part of a Computer Security Incident Response Team (CSIRT) Service.
However, effective utlisation of SIEM technology is a key factor of successful monitoring, since only collecting information about system events is useless, unless those events analysed. If used in conjunction with analysis methodologies such as attack trees, a greater benefit can be reaped from its usage. In the following section we explain the concept and uses of attack trees.
4.1
Attack Trees
Attack trees are an intuitive way to model threats, for conceptual and predictive purposes
Figure 4 Attack Tree Example for a Hypothetical System Source: (Ray, Poolsapassit, 2005)
Ray and Poolsapassit (2005) provide an example of an attack tree above in Figure 4.
Page 14 of 19
The root node is the objective of the attack, and nodes below the root node represent the means of achieving the objective. SIEM systems must either be configured to be able to identify the attack patterns. The use of attack trees, enable this process. A similar methodology can be applied to SCADA systems. Coppolino, D’Antonio, Formicola, and Romano (2012) applied this methodology to an enhanced SIEM system based on an attack to a Turbine System. Figure 5 shows the attack tree used.
Figure 5 Attack Tree on Water Turbine Source: Coppolino et al. (2012)
The results of the experiments are not included in their paper, however, the model they have presented clearly shows an enhanced SIEM system is capable of detecting attack patterns using attack trees to model the threats. It is then up to the SIEM administrator to configure alarms in order to respond to the attack tree that has been developed per abuse case through means of correlation rules.
Page 15 of 19
Byres, Franz and Miller (2004) used an attack tree method to also validate SCADA system vulnerabilities; however, one of the critiques of their methodology is that there was no mention of red team blue team exercises in order to measure the effectiveness of the team and their systems responsible for intrusion detection. Normally a Computer Security Incident Reponse Team or CSIRT is responsible for the reactive service elements of Intrusion Detection. Below in Table 3 is the output from their attack tree method. It is apparent that Access Control was a key disabler of protection in their experiment.
Table 3 Attack Tree Summary Report Source: Byres et al. (2004)
Page 16 of 19
Conclusions and Future Work
In this paper we explored finite state machines, attack trees and honeypot intelligence and linked it to technology enablers, common vulnerability points in the support of the security objectives of SCADA systems.
Intrusion Detection from a technology standpoint, should take a holistic approach, in Traditional IT Environments as well as SCADA. Since intrusions can occur on different levels of the IEC 60870-104 protocol stack, from the internet as well as attacks on humans, there is little value deploying detection technologies without supporting the technology with solid methodologies or processes. It is therefore a framework issue that is the concern for effective detection capability.
Attack Trees present a formal method to identify attack goals and streamline detection mechanism, possibly even as red and blue team exercises, which can be performed before production systems become operational or even during product development.
Finite State Machines are effective detection mechanisms. The critique of finite machines is that every SCADA implementation, is different, and with the vast amount of vendors providing technologies, a finite state machine will not be able to effectively cater for every misbehavior of a system, especially if propriety standards are implemented, to overcome this issue, a move to open standards development is recommended. Future research in this area could include adaptive finite state generators which adapt as new vendor products or protocol standards are introduced to the market.
Finally, honeypots can be excellent enablers for strengthening defensive capabilities. However, this area requires more research, especially on the automation and integration of honeypots with other detection mechanisms.
Page 17 of 19
References Bipul, R. 2016. An Introduction to SCADA for Electrical Engineers – Beginners. In: Electrical
Engineering
Portal.
Available
online.
http://electrical-engineering-
portal.com/an-introduction-to-scada-for-electrical-engineers-beginners.
Accessed:
7
September 2016.
Bustamente, M., 2004. Finite State Machines, Wizards and the Web. MSDN Online. Available online. https://msdn.microsoft.com/en-us/library/aa478972.aspx . Accessed: 8 September 2016.
Byres, E.J., Franz, M. and Miller, D., 2004, December. The use of attack trees in assessing vulnerabilities in SCADA systems. In Proceedings of the international infrastructure survivability workshop. Coppolino, L., D’Antonio, S., Formicola, V. and Romano, L., 2012, September. Enhancing SIEM technology to protect critical infrastructures. InInternational Workshop on Critical Information Infrastructures Security (pp. 10-21). Springer Berlin Heidelberg.
Clarke, G.R., Reynders, D. and Wright, E., 2004. Practical modern SCADA protocols: DNP3, 60870.5 and related systems. Newnes.
CSIT.
Center
of
Secure
Information
Technologies.
2016.
Available
online.
http://www.csit.qub.ac.uk/ Accessed: 7 September 2016.
Markets
and
Markets.
2014.
SCADA
Market.
Available
online.
http://www.marketsandmarkets.com/Market-Reports/scada-market-19487518.html. Accessed: 7 September 2016.
Page 18 of 19
Ramachandruni, R.S. and Poornachandran, P., 2015, August. Detecting the network attack vectors on SCADA systems. In Advances in Computing, Communications and Informatics (ICACCI), 2015 International Conference on(pp. 707-712). IEEE.
Redwood, O., Lawrence, J. and Burmester, M., 2015, March. A Symbolic Honeynet Framework for SCADA System Threat Intelligence. In International Conference on Critical Infrastructure Protection (pp. 103-118). Springer International Publishing. Serbanescu, A.V., Obermeier, S. and Yu, D.Y., 2015, July. A Scalable Honeynet Architecture for Industrial Control Systems. In International Conference on E-Business and Telecommunications (pp. 179-200). Springer International Publishing.
Wang, J, & Kissel, Z 2015, Introduction to Network Security: Theory And Practice, Hoboken, NJ: Wiley, eBook Collection (EBSCOhost), EBSCOhost, viewed 5 September 2016.
Wood, L. 2015. Business Wire. Research and Markets: Global SCADA Market in Power Industry
2015-2019.
Available
online.
http://www.businesswire.com/news/home/20151106005374/en/Research-MarketsGlobal-SCADA-Market-Power-Industry. Accessed: 7 September 2016.
Yang, Y., McLaughlin, K., Sezer, S., Yuan, Y., Huang, W., 2014. Stateful Intrusion Detection for IEC 60870-5-104 SCADA Security. DOI: 10.1109/PESGM.2014 pp1-5. IEEE.
Zhu, B., Joseph, A. and Sastry, S., 2011. A Taxonomy of cyber-attacks on SCADA systems. In Internet of things (iThings/CPSCom), 2011 international conference on and 4th international conference on cyber, physical and social computing (pp. 380-388). IEEE.
Page 19 of 19