Critical infrastructure Protection and Cyber Attack Modeling
0 likes561 views
The document discusses cyber attacks on critical infrastructure and industrial control systems. It describes common attack types like response injection, command injection, and denial of service attacks. Specific vulnerabilities of communication protocols and lack of authentication are discussed. The document also examines the Stuxnet attack scenario and how it compromised Iranian uranium enrichment facilities by targeting programmable logic controllers. Recommendations are made to improve cyber defense of critical infrastructure.
Critical infrastructure Protection and Cyber Attack Modeling
- 1. Blaž Ivanc blaz.ivanc@determinanta.si Guest Lecture at the Defense Studies InformationTechnology and National Security 17 January 2017
- 2. A critical infrastructure contains information systems as well as industrial control systems (ICS).The latter include: Supervisory control and data acquisition systems (SCADA): The systems are referred to as the central nervous system of a wide-area control network. Distributed control systems: they are part of system control on one integral location. Programmable logic controllers (PLC): they are used in the control of specific applications, most frequently in machine control in the production process. Control elements are a key part of one or several control sub-systems: Remote Terminal Unit (RTU), Master Terminal Unit, Human-Machine Interface, Intelligent Electronic Device, control servers and other control information infrastructure are also classified in this group.
- 3. Understanding the system prior to the attack enables the attackers to implement more complex attack. After the attacker has broken into the critical infrastructure network, the following threats are common: response injection, command injection, and denial of service. The known weakness of communication protocols in ICS is the absence of the appropriate authentication, which enables false data injection and false response packets. The absence of verifying the integrity of measurement data in sensors enables response injection and consequently inappropriate responses in relation to the actual situation.
- 4. Deception attacks ▪ The attacks with the goal of deception can be found in the industrial control systems as a change in the parameter values and can, as a result, impact on the behaviour of components, e.g. switches, controllers, and actuators. ▪ Deception attacks vs. replay attacks False data injection attack ▪ Attacker can inject random or target false data. ▪ Stealth attack. ▪ Identifying the network models can enable the attacker to implement simple attacks that are yet hard to detect. Network traversal attack ▪ Attack penetrates the network layers and enables the attacker the path to the key elements of industrial control systems by exploiting the trust relationship among the network hosts.
- 6. Node Description G-0 Cyber-attacks in critical infrastructure G-1 Reconnaissance and attack development G-2 The attack on industrial control systems G-3 Getting acquainted with the field data G-4 Development of offensive computer-network operation in the mirrored environment. G-5 Direct compromising of the industrial control systems G-6 Attack on the system integrator level G-7 Acquiring documentation and program files G-8 Computer network analyses G-9 Attacks on a field level G-10 Exploiting the weakness of routine procedures G-11 Embedding backdoor in IT systems G-12 Data manipulation G-13 Capturing data flow traffic G-14 Data flow emission G-15 Traffic processing G-16 Program change in programmable logic controller G-17 Manipulation on sensor level G-18 Compromising communication paths G-19 Remote manipulation through additional users G-20 Local manipulation of the process database G-21 Adding communication paths G-22 Embedding of the MitM attack mechanism
- 7. The target can often be the system integrator of the industrial control system in the critical infrastructure.This raises the following questions: Can the operator of the critical infrastructure prevent concrete information attacks that exploit the system integrator as an entry point? Can the operator of the critical infrastructure prevent a security incident resulting from compromising technology on the level of the manufacturer? Has the operator of the critical infrastructure considered information attacks originating from compromising higher structures (systems integrator, technology producer) while performing risk assessment and was the operator able to provide concrete security countermeasures? System supply chain is the appropriate point for compromising, especially in terms of structures that can represent more demanding attack techniques or merely exploit its situation in the required access to the application with simple offensive methods.
- 8. Key features of novel cyber-attacks The attacks are focused on compromising data integrity with the aim of causing consequences in the physical space The attacks reveal new offensive information techniques The malicious code dropper can exploit at least one of the unknown software vulnerabilities with the purpose of expanding or raising the privileges Autonomous generating of the system specific payload
- 9. Attack scenario - Stuxnet Attack scenario includes the spreading of malicious code and compromising of programmable logic controllers. ▪ Stuxnet was discovered in June 2010.The targets of the attack were the facilities for enrichment of uranium in Iran. The malicious code Stuxnet has spread inside the target in several ways. ▪ Malicious code dropper exploited also the unknown vulnerabilities. Purpose of the attack was to reprogram the industrial control systems by changing the PLC code. ▪ The final system targets of the attack were control system, engineering system and the selected programmable logic controllers. Changes in the operation of programmable logic controllers (PLC) are achieved by replacing the DLL file. ▪ The key for the target payload was in PLC rootkit.
- 10. Characteristics of the Enhanced Structural Model: segmental distribution of the model structure ▪ S-1 (Dropper), S-2 (Payload), S-3 (Structure of malicious code spreading) demonstration of countermeasures ▪ C-1 (Network-isolated systems), C-2 (Control over the events in computer resources), C-3 (Network system for intrusion detection), C-4 (Authentication security mechanisms) use of labels for exploiting vulnerability use of labels for attack vectors ▪ v1 (Weak Authetication), v2 (DLL Hijacking), v3 (MitM) use of additional nodes ▪ Conditional subordination node G-2 = P-1 OR (G-5 AND G-6) ▪ Housing node
- 11. Critical infrastructure operators are advised to establish cyber defense departments which will review security issues in terms of threat agents. Sophisticated critical infrastructure attack analyses show that attacks executing a discrete covert channel are a relatively evenly distributed combination of a physical and a cyber attack supported by extensive intelligence efforts. According to the findings more security measures should be introduced in Slovenia immediately: Mandatory introduction and monitoring of the implementation of security standards for industrial control systems. It is necessary to determine the level of independence of the critical infrastructure operator in terms of physical process management through industrial-control systems. It would be wise to establish a small, highly competent organization for cyber security and CIP. In Slovenia, this would ensure a secure supply of individual system components, assessment of adequate security mechanisms, forcing the local know-how to pursue constant development and monitor the progress of technology related areas.