"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control Systems
4 likes1,396 views
The document discusses the anatomy of data integrity attacks in industrial control systems. It begins by introducing the authors and their backgrounds in process control and security. It then discusses challenges in understanding industrial control system protocols and data. The document uses examples from power systems and distributed control systems to illustrate how process data is collected, scaled, and transmitted at different levels. It emphasizes that point configurations and data scaling are customized for each unique system. The goal is to help security researchers better understand operational technology in order to identify vulnerabilities and challenges from an attacker's perspective.
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control Systems
- 1. Anatomy of Data Integrity Attacks in Industrial Control Systems Marina Krotofil & Chris Sistrunk “MAN-IN-THE-SCADA”:
- 2. About us Mostly on offence side 7 years in process control security research On and Off 13 years in security Mostly on defense >10 years experience in power engineering 8 years in security Specialization: Process Control MK CS Specialization: Power Sector
- 3. Setting Context Industrial Control Systems and Cyber- Physical Hacking
- 4. Industrial Control Systems Information Technology (IT) Operational Technology (OT) boss boss Know how to run Win95 Always blamed Helpless desk Physical application
- 7. Most frequently assumed scenario CONTROL SYSTEM OPERATOR CONSOLE PROCESSOPERATOR
- 8. Why? Insecurity by design of majority of industrial protocols Mechanics of MITM attack is well understood and tons of tools are readily available (almost Plug&Play) We simply DON’T KNOW BETTER (yet)
- 9. Let’s look into the packet (2) Ugh :-( I need protocol parsers. I knew it! ???
- 10. Let’s look into the packet (3)
- 11. Let’s look into the packet (4) Relative humidity Temperature (F) ???
- 12. Let’s look into the packet (5) https://ask.wireshark.org/questions/59670/extract-particular-register-from-series-of-modbus-packets
- 13. Let’s look into the packet (6)
- 14. Let’s look into the packet (7)
- 15. Let’s look into the packet (8)
- 16. Who can guess it best? o Donuts? (Ok, it was a joke) o Can be − Direct measurement − Result of computation o Bit counts/%/EU o Celsius/Fahrenheit o Centimeters/meters/miles/light years o Pa/kPa/mPa/Psia/Psig/Atm/Bar o Kgh/m3h/nm3h/scmh/kscmh o Keep guessing…. EU -> Engineering Units PV PV aux calc
- 17. New Information to Build New Assumptions Configuration of a Single point
- 18. Operates on raw data Operates on information Purdue reference architecture http://krakenautomation.com/images/KrakenPyramid.jpg
- 19. Raw sensory data rarely can be used directly. The electrical output of a sensing element is usually small in value and has non-idealities such as offset, sensitivity errors, nonlinearities, noise, etc. Raw transducer output is subjected to signal conditioning such as amplification, filtering, range matching, etc. Raw measurement
- 20. Point configuration 40-100 psi 0-8000 kg/h Sensor calibration: e.g. measuring from 0 to 32 m3/h Low and High limits: LO 10 m3/h HI 25 m3/h +/-10 V dc 0-10 V dc 0-5 V dc 4-20 mA 12 bit ADC resolution (defines the quality of data translation) Everything what can be measured or set is called POINT 0-70 m3/h 0-32 m3/h I/O card with ADC I/O card with ADC I/O card with ADC I/O card with ADC 1 0 1 0 1 1 1 0 1 0 0 1 1 0 1 0 1 1 1 0 1 0 0 1 1 0 1 0 1 1 1 0 1 0 0 1 1 0 1 0 1 1 1 0 1 0 0 1 4-20 mA,0-4095
- 21. Point configuration 55 psi 7000 kg/h Sensor calibration: e.g. measuring from 0 to 30 m3/h Low and High limits: LO 10 m3/h HI 25 m3/h +/-10 V dc 0-10 V dc 0-5 V dc 4-20 mA 12 bit ADC resolution (defines the quality of data translation) Everything what can be measured or set is called POINT 35 m3/h 20 m3/h I/O card with ADC I/O card with ADC I/O card with ADC I/O card with ADC 1 1 0 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 0 0 1 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 14 mA,3017 18 mA 12 mA2048 3583 8 mA1024
- 22. Scaling of data into useful units Raw counts are scaled into useful units, which could be different to different data users Raw data Engineering Units 3017 2048 1024 3583 7000 20 3,79 35scaling Psi->barm3/h m3/h kg/h
- 23. Conversion of raw data into EU 0mA 21mA 20mA4mA 4095 counts 100% in engineering units 0% in engineering units 4095 counts Offset Over range 1 2 Data scaling is case-specific Current EU values 3 mA -6,25% 4mA 0% 12mA 50% 20mA 100% 21mA 106,25% 20mA4mA
- 24. Learning More from Use Cases Use Case1: Power Substation
- 25. Measuring power line Chris Sistrunk at Power Substation
- 26. 115kV Bus 34.5kV Bus Power Transformer Breaker A Line 200 Feeder 11 Feeder 12 3-Element Transducer 3Ø, Wye + DC - 90 MW 114 kV 468 Amps to Relays, Panel Meter, & SCADA RTU, HMI CT PT Measuring power line 1200:5 Current Transformer 1000:1 Potential Transformer Properly select PT and CT ratio to allow some % of overload on the circuit, so the measurements will not top out at 100% when the actual values are higher.
- 27. Level 5 – Enterprise Network Level 4 – IT Apps, Outage Mgmt, Billing DMZ – Mirror Historian, Applications Level 3 – EMS, Historian Level 2 – Front End, SCADA Master Level 1 – Transducer, Meter, RTU Level 0 – CT, PT XDUCER RTU FEP SCADA HIS HIS OMS D a t a F l o w EMS Measuring power line SCADA Wide Area Network
- 28. Power substation equipment Typically multivendor Non-homogeneous configuration requirements Decentralized configuration Requires careful integration Often (still) old equipment and networks with limited resources and bandwidth
- 29. Level 0 MW Engineering Limit = (PT ratio) * (CT ratio) * (Transducer Multiplier) * (Line Connection Type) = (1200/5)(1000)(1500)(1)/1000000 = 300MW Transducer Output Range = 0 to +/-1mA 0 – +/-300MW/mA scale If transducer output = 0.25mA, then 0.25*300 = 90 MW xLINE – initial (measured) value m, b – scaling factor and offset for each time the data moves from one device to another Transducers may be: 0 – 1mA or 4 – 20mA (which require an offset b) PT CT ySCADA = m*xLINE + b
- 30. Level 1 RTU Analog input card (16-bit Analog to Digital Converter) 15 bits plus +/- sign bit -32768 to +32767 counts = -1mA to 1mA = 300MW/mA +90 MW = .25*32767 = +8192 counts RTU Database = same size 90MW is stored as +8192 bits (+25% of db) SCADA Protocol has 12-bit bipolar analogs (-2048 to 2047 counts) SCADA protocol value MW = .25*2047 = 512 counts RTU SCADA protocol RTU DB
- 31. Level 2 +512 bipolar counts from RTU to Front End Processor on a 12-bit protocol (0 – 4095) 1 count = 300MW/2047 = 0.073242 MW per count unipolar (remember MW is a bipolar value) The FEP has to shift the bipolar value to a unipolar value to store it in the database! FEP database value = 512 incoming counts + offset of 2048 = 2560 counts FEP database = 16 bits = 0 – 32767 counts 2560 counts / 65535 counts = 0.039063 = 3.906309% SCADA database = 32 bits = 0 – 4294967295 counts 3.906309% * 4294967295 = 167774307 counts FEP SCADA DB AND SO ON….
- 32. Level 5 – Enterprise Network Level 4 – IT Apps, Outage Mgmt, Billing DMZ – Mirror Historian, Applications Level 3 – EMS, Historian Level 2 – Front End, SCADA Master Level 1 – Transducer, Meter, RTU Level 0 – CT, PT XDUCER RTU FEP SCADA HIS HIS OMS D a t a F l o w EMS Interpreting power data 512 counts 2560 counts 167774307 counts
- 33. Reverse engineering process data Post-Exploitation: engineering attack tools Exploitation: traditional IT hacking tools
- 34. Obtaining point configuration From the individual devices (e.g. RTU, FEP, DB, etc.) − May or may not be easy/rational thing to do From servers From individual config files on workstations http://data.proidea.org.pl/confidence/ 9edycja/materialy/prezentacje/FX.pdf
- 37. Excel sheets of helpful engineers
- 38. Learning More from Use Cases Use Case2: Distributed Control System (DCS)
- 39. Typical architecture o Single vendor o Homogeneous configuration requirements o Centralized configuration from the DCS server Regulatory control Supervisory control
- 40. Typical data scaling Sensors IO card with ADC Controller 4-20 mA X bits -> 0-100% 4-20 mA –> X bits 0-100% -> EU Floating point Protocol Level 0 Level 1 Level 2 http://steve.hollasch.net/cgindex/coding/ieeefloat.html IEEEStandard754 FloatingPointNumbers Floating point
- 41. Point configuration Point configuration is loaded into controller and stored on a DCS server
- 42. Point configuration Point configuration is loaded into controller and stored on a DCS server
- 43. Point configuration Point configuration is loaded into controller and stored on a DCS server
- 44. Point configuration Point configuration is loaded into controller and stored on a DCS server
- 45. Retrieving point configuration Directly from the controller − DCS controllers are not easily obtainable to the attacker for analysis Get access to engineering station and grab the project folder of interest − Manual search, inconvenient Query config from DCS Config DB − Hundreds and hundreds of tables − Some DB entries may not have descriptions -> need to find the “manual” P.S. Honeywell’s manual on controller parameters is 2478 pages long. Happy reading!
- 50. Learning More from Use Cases Miscellaneous : What’s Different Plant by Plant
- 51. Diversity of architectures Plant is rarely operated with a help of a single DCS − Different plant units are operated by different DCSs, often of different vendors − Some units are operated by the PLC-based architectures − Old/legacy pieces of equipment Smaller plants or utilities are operated by non-homogeneous- vendor equipment configured by multiple integrators Specialized equipment or applications
- 52. Diversity of data scaling & formatting Data scaling and formatting depends on multiple factors − Experience years of the control engineer − Equipment/application/protocol constraints − Requirements to data quality − Data normalization − Best practices (sometimes country/continent-dependent) − Customer preferences We interviewed more than 10 control engineers from multiple industries of different work experience globally
- 53. Configurations can be customized tailored to meet the scaling needs of a tremendous range of equipment and applications Data loggers
- 54. Anatomy of the Cyber-Physical Attack From Script-Kiddie to Competent Attacker
- 55. Source:simentari.com How to make this place going up in smoke?
- 56. Cyber-physical attack Manipulate the process Prevent response Direct Indirect 1 2 Operators Control system (including safety) Blind Mislead Modify operational/safety limits Cyber-Physical attack Capture process feedback Set point change; manipulation of actuators Deceiving controller/ operator about process state Direct Estimated or Derived Direct observation of process values From existing measurements or calculations Most critical to success & hardest to achieve 1.1 1.2 Not easy as well
- 58. State estimation in power sector https://credc.mste.illinois.edu/applet/pg P.S. Hire Ruben Santamarta to hack the SE http://shinnai.altervista.org/papers_videos/STATG.pdf -666 MW State Estimator (SE) Kirchoff’s Current Law – Current flowing into a substation, group of substations, or a grid must equal current flowing out
- 59. State estimation in power sector State Estimator (SE) Kirchoff’s Current Law – Current flowing into a substation, group of substations, or a grid must equal current flowing out P.S. Hire Ruben Santamarta to hack the SE http://shinnai.altervista.org/papers_videos/STATG.pdf Substation 2 -1034 MW +1000 MW -266 MW +300 MW 0 MW https://credc.mste.illinois.edu/applet/pg
- 60. Losing visibility into data The attacker pushes the process outside of normal operational envelope − She may lose visibility into process measurement Sensor calibration; signal clamping; truncation Data scaling − E.g. during process probing the attacker will make small changes to the process which may get “lost in translation” http://www.indiana.edu/~emusic/361/images/digitalaudio-clipping.png 5000089 -> scaled into 0-4095 5000089 -> floating point 5*106
- 61. Losing visibility into data The attacker pushes the process outside of normal operational envelope − She may lose visibility into process measurement Sensor calibration; signal clamping; truncation Data scaling − E.g. during process probing the attacker will make small changes to the process which may get “lost in translation” http://www.indiana.edu/~emusic/361/images/digitalaudio-clipping.png 5000089 -> scaled into 0-4095 5000089 -> floating point 5*106
- 62. Where to monitor From the attacker standpoint single monitoring point is preferable By all means, the most hacker-friendly way to monitor process data in (RT)DB or Historian http://blog.dataparcsolutions.com/process-data-compression-why-its-a-bad-idea Historians typically rely on data compression for storage space optimization − “Unimportant” data is removed
- 63. Raw data vs. processed/translated data http://www.the-amateur-photographer.com/raw-vs-jpeg/ http://photographersconnection.com/should-you-photograph-in-raw-or-jpeg-lets-settle-this/ IT DEPENDS Raw vs JPEG
- 64. Where to monitor The problem with data compression is that data LOST FOREVER − Missing data is interpolated Historical data might not be appropriate for a feedback loop, especially for high precision attack − Because of lost data fidelity http://blog.dataparcsolutions.com/process-data-compression-why-its-a-bad-idea
- 65. − Query controllers for config data − R/W configurable parameters − Query process data; monitor alarms − Issue control commands (if configured) − In short, OPC allows achieving almighty privileges with minimal hacking efforts OLE for Process Control (OPC) HAVEX: Using OPC, the malware component gathers any details about OPC server and connected field devices and sends them back to the C&C. https://ics-cert.us-cert.gov/alerts/ICS- ALERT-14-176-02A
- 66. Key Takeaways Turning this audience into ICS Superheros
- 67. Study the application under protection Once the access is gained to ICS infrastructure, the attack still needs to be performed − We need to do more applied research on understanding what the attacker needs to do and why IT security (cyber-security -> taking over the infrastructure) ICS/SCADA security OT security (causing impact on the operations -> process and equipment) Man-in-the-Middle Man-in-the-SCADA
- 68. Everything what is marked as must be protected more conservatively than the prisoners in high-security correctional facilities − Lock away config files, monitor access − Harden DCS/SCADA servers − Upgrade OPC to OPC UA (please) There are PERCEIVED and REAL threats in ICS world. We need to challenge the assumptions about perceived threats Key Take Aways Successful MITM attack requires a great deal of knowledge about data point configuration − It involves extensive reconnaissance and specialized knowledge
- 69. Goal: New line of thinking Understanding point configuration fundamentals reveals an additional attack surface Instead of modifying data directly Never Trust Your Inputs: Causing ‘Catastrophic Physical Consequences’ from the Sensor (or how to fool ADC) A. Bolshev & M. Krotofil. Black Hat Asia 2016 Analog control loop Control PLC Actuator Safety PLC/ Logger/DAQ 0V (actuator is OFF) 1.5V (actuator is ON)Analog control loop HMI− Change sensor calibration or its range. Good for alarm suppression and blinding operators & controllers Taking advantage of point config 1 2 Modify the configuration of the data point Take advantage of it