SlideShare ist ein Scribd-Unternehmen logo
1 von 70
Downloaden Sie, um offline zu lesen
Anatomy of Data Integrity
Attacks in Industrial Control
Systems
Marina Krotofil & Chris Sistrunk
“MAN-IN-THE-SCADA”:
About us
 Mostly on offence side
 7 years in process control
security research
 On and Off 13 years in security
 Mostly on defense
 >10 years experience in
power engineering
 8 years in security
Specialization:
Process Control
MK CS
Specialization:
Power Sector
Setting Context
Industrial Control Systems and Cyber-
Physical Hacking
Industrial Control Systems
Information
Technology (IT)
Operational
Technology (OT)
boss
boss
Know how to
run Win95
Always blamed
Helpless desk
Physical
application
Cyber-Physical Hacking
Physical
application
Challenging assumptions
Man-in-the-SCADA
Most frequently assumed scenario
CONTROL
SYSTEM
OPERATOR
CONSOLE
PROCESSOPERATOR
Why?
 Insecurity by design of majority of industrial protocols
 Mechanics of MITM attack is well understood and tons of
tools are readily available (almost Plug&Play)
 We simply DON’T KNOW BETTER (yet)
Let’s look into the packet (2)
Ugh :-(
I need protocol
parsers. I knew it!
???
Let’s look into the packet (3)
Let’s look into the packet (4)
Relative humidity
Temperature (F)
???
Let’s look into the packet (5)
https://ask.wireshark.org/questions/59670/extract-particular-register-from-series-of-modbus-packets
Let’s look into the packet (6)
Let’s look into the packet (7)
Let’s look into the packet (8)
Who can guess it best?
o Donuts? (Ok, it was a joke)
o Can be
− Direct measurement
− Result of computation
o Bit counts/%/EU
o Celsius/Fahrenheit
o Centimeters/meters/miles/light years
o Pa/kPa/mPa/Psia/Psig/Atm/Bar
o Kgh/m3h/nm3h/scmh/kscmh
o Keep guessing….
EU -> Engineering Units
PV PV aux calc
New Information to Build New
Assumptions
Configuration of a Single point
Operates on
raw data
Operates on
information
Purdue reference architecture
http://krakenautomation.com/images/KrakenPyramid.jpg
 Raw sensory data rarely can be used directly. The electrical output of a
sensing element is usually small in value and has non-idealities such as
offset, sensitivity errors, nonlinearities, noise, etc.
 Raw transducer output is subjected to signal conditioning such as
amplification, filtering, range matching, etc.
Raw measurement
Point configuration
40-100
psi
0-8000
kg/h
Sensor calibration:
e.g. measuring
from 0 to 32 m3/h
Low and High
limits:
LO 10 m3/h
HI 25 m3/h
+/-10 V dc
0-10 V dc
0-5 V dc
4-20 mA
12 bit ADC resolution
(defines the quality of data translation)
Everything what can be
measured or set is called POINT
0-70
m3/h
0-32
m3/h
I/O card
with ADC
I/O card
with ADC
I/O card
with ADC
I/O card
with ADC
1 0 1 0 1 1 1 0 1 0 0 1
1 0 1 0 1 1 1 0 1 0 0 1
1 0 1 0 1 1 1 0 1 0 0 1
1 0 1 0 1 1 1 0 1 0 0 1
4-20 mA,0-4095
Point configuration
55
psi
7000
kg/h
Sensor calibration:
e.g. measuring
from 0 to 30 m3/h
Low and High
limits:
LO 10 m3/h
HI 25 m3/h
+/-10 V dc
0-10 V dc
0-5 V dc
4-20 mA
12 bit ADC resolution
(defines the quality of data translation)
Everything what can be
measured or set is called POINT
35
m3/h
20
m3/h
I/O card
with ADC
I/O card
with ADC
I/O card
with ADC
I/O card
with ADC
1 1 0 1 1 1 1 1 1 1 1 1
0 1 1 1 1 1 1 1 1 1 1 1
1 0 1 1 1 1 0 0 1 0 0 1
1 0 0 0 0 0 0 0 0 0 0 0
14 mA,3017
18 mA
12 mA2048
3583
8 mA1024
Scaling of data into useful units
Raw counts are
scaled into useful
units, which could
be different to
different data users
Raw data Engineering Units
3017
2048
1024
3583 7000
20
3,79
35scaling
Psi->barm3/h m3/h kg/h
Conversion of raw data into EU
0mA 21mA
20mA4mA
4095 counts
100% in engineering
units
0% in engineering
units
4095 counts
Offset Over range
1
2
Data scaling is case-specific
Current EU values
3 mA -6,25%
4mA 0%
12mA 50%
20mA 100%
21mA 106,25%
20mA4mA
Learning More from Use Cases
Use Case1: Power Substation
Measuring power line
Chris Sistrunk at
Power Substation
115kV Bus
34.5kV Bus
Power
Transformer
Breaker A
Line 200
Feeder 11 Feeder 12
3-Element
Transducer
3Ø, Wye
+ DC -
90 MW
114 kV
468 Amps
to Relays, Panel Meter,
& SCADA RTU, HMI
CT
PT
Measuring power line
1200:5
Current
Transformer
1000:1
Potential
Transformer
Properly select PT and CT ratio to allow some % of overload on the circuit, so
the measurements will not top out at 100% when the actual values are higher.
Level 5 – Enterprise Network
Level 4 – IT Apps, Outage Mgmt, Billing
DMZ – Mirror Historian, Applications
Level 3 – EMS, Historian
Level 2 – Front End, SCADA Master
Level 1 – Transducer, Meter, RTU
Level 0 – CT, PT
XDUCER RTU
FEP SCADA
HIS
HIS
OMS
D
a
t
a
F
l
o
w
EMS
Measuring power line
SCADA
Wide Area
Network
Power substation equipment
 Typically multivendor
 Non-homogeneous configuration requirements
 Decentralized configuration
 Requires careful integration
 Often (still) old equipment and networks with limited
resources and bandwidth
Level 0
 MW Engineering Limit = (PT ratio) * (CT ratio) * (Transducer Multiplier) *
(Line Connection Type) = (1200/5)(1000)(1500)(1)/1000000 = 300MW
 Transducer Output Range = 0 to +/-1mA  0 – +/-300MW/mA scale
If transducer output = 0.25mA, then 0.25*300 = 90 MW
xLINE – initial (measured) value
m, b – scaling factor and offset
for each time the data moves
from one device to another
Transducers may be:
0 – 1mA
or
4 – 20mA
(which require an offset b)
PT CT
ySCADA = m*xLINE + b
Level 1
 RTU Analog input card (16-bit Analog to Digital Converter) 15 bits plus +/- sign bit
-32768 to +32767 counts = -1mA to 1mA = 300MW/mA
+90 MW = .25*32767 = +8192 counts
 RTU Database = same size  90MW is stored as +8192 bits (+25% of db)
 SCADA Protocol has 12-bit bipolar analogs (-2048 to 2047 counts)
SCADA protocol value MW = .25*2047 = 512 counts
RTU
SCADA protocol
RTU DB
Level 2
 +512 bipolar counts from RTU to Front End Processor on a 12-bit protocol (0 – 4095)
1 count = 300MW/2047 = 0.073242 MW per count unipolar
(remember MW is a bipolar value)
The FEP has to shift the bipolar value to a unipolar value to store it in the database!
 FEP database value = 512 incoming counts + offset of 2048 = 2560 counts
FEP database = 16 bits = 0 – 32767 counts
2560 counts / 65535 counts = 0.039063 = 3.906309%
 SCADA database = 32 bits = 0 – 4294967295 counts
3.906309% * 4294967295 = 167774307 counts
FEP SCADA DB
AND SO ON….
Level 5 – Enterprise Network
Level 4 – IT Apps, Outage Mgmt, Billing
DMZ – Mirror Historian, Applications
Level 3 – EMS, Historian
Level 2 – Front End, SCADA Master
Level 1 – Transducer, Meter, RTU
Level 0 – CT, PT
XDUCER RTU
FEP SCADA
HIS
HIS
OMS
D
a
t
a
F
l
o
w
EMS
Interpreting power data
512 counts
2560 counts
167774307 counts
Reverse engineering process data
Post-Exploitation:
engineering attack
tools
Exploitation:
traditional IT
hacking tools
Obtaining point configuration
 From the individual devices (e.g. RTU, FEP, DB, etc.)
− May or may not be easy/rational thing to do
 From servers
 From individual config files on workstations
http://data.proidea.org.pl/confidence/
9edycja/materialy/prezentacje/FX.pdf
With engineering applications
With engineering applications
Excel sheets of helpful engineers
Learning More from Use Cases
Use Case2: Distributed Control System (DCS)
Typical architecture o Single vendor
o Homogeneous
configuration
requirements
o Centralized configuration
from the DCS server
Regulatory
control
Supervisory
control
Typical data scaling
Sensors
IO card
with ADC
Controller
4-20 mA
X bits -> 0-100%
4-20 mA –> X bits
0-100% -> EU
Floating point Protocol
Level 0
Level 1
Level 2
http://steve.hollasch.net/cgindex/coding/ieeefloat.html
IEEEStandard754
FloatingPointNumbers
Floating point
Point configuration
Point configuration is loaded into controller and
stored on a DCS server
Point configuration
Point configuration is loaded into controller and
stored on a DCS server
Point configuration
Point configuration is loaded into controller and
stored on a DCS server
Point configuration
Point configuration is loaded into controller and
stored on a DCS server
Retrieving point configuration
 Directly from the controller
− DCS controllers are not easily obtainable to the
attacker for analysis
 Get access to engineering station and grab the
project folder of interest
− Manual search, inconvenient
 Query config from DCS Config DB
− Hundreds and hundreds of tables
− Some DB entries may not have descriptions -> need
to find the “manual”
P.S. Honeywell’s manual on controller parameters
is 2478 pages long. Happy reading!
Retrieving point configuration
Retrieving point configuration
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control Systems
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control Systems
Learning More from Use Cases
Miscellaneous : What’s Different Plant by Plant
Diversity of architectures
 Plant is rarely operated with a help of a single DCS
− Different plant units are operated by different DCSs, often of
different vendors
− Some units are operated by the PLC-based architectures
− Old/legacy pieces of equipment
 Smaller plants or utilities are operated by non-homogeneous-
vendor equipment configured by multiple integrators
 Specialized equipment or applications
Diversity of data scaling & formatting
 Data scaling and formatting depends on multiple factors
− Experience years of the control engineer
− Equipment/application/protocol constraints
− Requirements to data quality
− Data normalization
− Best practices (sometimes country/continent-dependent)
− Customer preferences
We interviewed more than 10 control engineers from multiple
industries of different work experience globally
Configurations can be customized tailored
to meet the scaling needs of a tremendous
range of equipment and applications
Data loggers
Anatomy of the Cyber-Physical
Attack
From Script-Kiddie to Competent Attacker
Source:simentari.com
How to make this place going up in smoke?
Cyber-physical attack
Manipulate the
process
Prevent
response
Direct Indirect
1 2
Operators Control system
(including safety)
Blind Mislead
Modify
operational/safety
limits
Cyber-Physical
attack
Capture process
feedback
Set point
change;
manipulation
of actuators
Deceiving
controller/
operator about
process state
Direct Estimated
or Derived
Direct
observation
of process
values
From existing
measurements
or calculations
Most critical
to success &
hardest to
achieve
1.1 1.2 Not easy as
well
Alarm propagation
Safety
shutdown
Alarm
Alarm
State estimation in power sector
https://credc.mste.illinois.edu/applet/pg
P.S. Hire Ruben Santamarta to hack the SE
http://shinnai.altervista.org/papers_videos/STATG.pdf
-666 MW
 State Estimator (SE)
 Kirchoff’s Current Law
– Current flowing into a substation,
group of substations, or a grid
must equal current flowing out
State estimation in power sector
 State Estimator (SE)
 Kirchoff’s Current Law
– Current flowing into a substation,
group of substations, or a grid
must equal current flowing out
P.S. Hire Ruben Santamarta to hack the SE
http://shinnai.altervista.org/papers_videos/STATG.pdf
Substation 2
-1034 MW
+1000 MW
-266 MW
+300 MW
0 MW
https://credc.mste.illinois.edu/applet/pg
Losing visibility into data
 The attacker pushes the process outside of normal
operational envelope
− She may lose visibility into process measurement
 Sensor calibration; signal clamping; truncation
 Data scaling
− E.g. during process probing the attacker
will make small changes to the process
which may get “lost in translation”
http://www.indiana.edu/~emusic/361/images/digitalaudio-clipping.png
5000089 -> scaled into 0-4095
5000089 -> floating point 5*106
Losing visibility into data
 The attacker pushes the process outside of normal
operational envelope
− She may lose visibility into process measurement
 Sensor calibration; signal clamping; truncation
 Data scaling
− E.g. during process probing the attacker
will make small changes to the process
which may get “lost in translation”
http://www.indiana.edu/~emusic/361/images/digitalaudio-clipping.png
5000089 -> scaled into 0-4095
5000089 -> floating point 5*106
Where to monitor
 From the attacker standpoint single monitoring point is preferable
 By all means, the most hacker-friendly way to monitor process data
in (RT)DB or Historian
http://blog.dataparcsolutions.com/process-data-compression-why-its-a-bad-idea
 Historians typically rely on data compression
for storage space optimization
− “Unimportant” data is removed
Raw data vs. processed/translated data
http://www.the-amateur-photographer.com/raw-vs-jpeg/
http://photographersconnection.com/should-you-photograph-in-raw-or-jpeg-lets-settle-this/
IT DEPENDS
Raw vs JPEG
Where to monitor
 The problem with data compression is that
data LOST FOREVER
− Missing data is interpolated
 Historical data might not be appropriate for a
feedback loop, especially for high precision
attack
− Because of lost data fidelity
http://blog.dataparcsolutions.com/process-data-compression-why-its-a-bad-idea
− Query controllers for config data
− R/W configurable parameters
− Query process data; monitor alarms
− Issue control commands (if configured)
− In short, OPC allows achieving almighty
privileges with minimal hacking efforts
OLE for Process Control (OPC)
HAVEX: Using OPC, the malware
component gathers any details about
OPC server and connected field devices
and sends them back to the C&C.
https://ics-cert.us-cert.gov/alerts/ICS-
ALERT-14-176-02A
Key Takeaways
Turning this audience into ICS Superheros
Study the application under protection
 Once the access is gained to ICS infrastructure, the attack still needs to
be performed
− We need to do more applied research on understanding what the attacker
needs to do and why
IT security
(cyber-security ->
taking over the
infrastructure)
ICS/SCADA security
OT security
(causing impact on the
operations -> process
and equipment)
Man-in-the-Middle Man-in-the-SCADA
 Everything what is marked as must be protected more
conservatively than the prisoners in high-security correctional facilities
− Lock away config files, monitor access
− Harden DCS/SCADA servers
− Upgrade OPC to OPC UA (please)
 There are PERCEIVED and REAL threats in ICS world. We
need to challenge the assumptions about perceived threats
Key Take Aways
 Successful MITM attack requires a great deal of knowledge
about data point configuration
− It involves extensive reconnaissance and specialized knowledge
Goal: New line of thinking
 Understanding point configuration fundamentals
reveals an additional attack surface
 Instead of modifying data directly Never Trust Your Inputs: Causing ‘Catastrophic
Physical Consequences’ from the Sensor (or
how to fool ADC)
A. Bolshev & M. Krotofil. Black Hat Asia 2016
Analog
control
loop
Control PLC
Actuator
Safety PLC/
Logger/DAQ
0V (actuator is OFF)
1.5V (actuator is ON)Analog
control
loop
HMI− Change sensor calibration or its
range. Good for alarm suppression
and blinding operators & controllers
Taking advantage of point config
1
2
Modify the configuration of
the data point
Take advantage of it
Marina Krotofil
marina.krotofil@honeywell.com
@marmusha
Chris Sistrunk
chris.sistrunk@mandiant.com
@chrissistrunk

Weitere ähnliche Inhalte

Was ist angesagt?

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration TestingAhmed Sherif
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Positive Hack Days
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCAlexander Bolshev
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...Marina Krotofil
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2qqlan
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 

Was ist angesagt? (20)

Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
Johannes Klick, Daniel Marzin. Find Them, Bind Them - Industrial Control Syst...
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADC
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet v2
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...
 

Ähnlich wie "Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control Systems

CHM_Technologies_PLC.ppt
CHM_Technologies_PLC.pptCHM_Technologies_PLC.ppt
CHM_Technologies_PLC.pptVinothInst
 
FE_Technologies_PLC.ppt
FE_Technologies_PLC.pptFE_Technologies_PLC.ppt
FE_Technologies_PLC.pptDilupa Herath
 
Ls catalog thiet bi tu dong master p 5000-e_dienhathe.vn
Ls catalog thiet bi tu dong master p 5000-e_dienhathe.vnLs catalog thiet bi tu dong master p 5000-e_dienhathe.vn
Ls catalog thiet bi tu dong master p 5000-e_dienhathe.vnDien Ha The
 
Ls catalog thiet bi tu dong master p 5000-e
Ls catalog thiet bi tu dong master p 5000-eLs catalog thiet bi tu dong master p 5000-e
Ls catalog thiet bi tu dong master p 5000-eDien Ha The
 
Wireless fuel level sensor using rfid
Wireless fuel level sensor using rfidWireless fuel level sensor using rfid
Wireless fuel level sensor using rfidSriteja Rst
 
A PROJECT ON scada.pptx
A PROJECT ON scada.pptxA PROJECT ON scada.pptx
A PROJECT ON scada.pptxAshhadRaza1
 
automation,vfd,plc,scada overview
automation,vfd,plc,scada overviewautomation,vfd,plc,scada overview
automation,vfd,plc,scada overviewPratik Gupta
 
automation,vfd,plc,scada overview
automation,vfd,plc,scada overviewautomation,vfd,plc,scada overview
automation,vfd,plc,scada overviewpratikguptateddy
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G MgtAnil Patil
 
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System  EMERSON EDUARDO RODRIGUESCONCEPT OF SCADA System  EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
An Entire Concept of Embedded systems
An Entire Concept of Embedded systems An Entire Concept of Embedded systems
An Entire Concept of Embedded systems Prabhakar Captain
 
An entire concept of embedded systems entire ppt
An entire concept of embedded systems entire pptAn entire concept of embedded systems entire ppt
An entire concept of embedded systems entire pptPrabhakar Captain
 
RFID Based Toll Gate System
RFID Based Toll Gate SystemRFID Based Toll Gate System
RFID Based Toll Gate SystemAmeer Khan
 

Ähnlich wie "Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control Systems (20)

FE_Technologies_PLC.ppt
FE_Technologies_PLC.pptFE_Technologies_PLC.ppt
FE_Technologies_PLC.ppt
 
CHM_Technologies_PLC.ppt
CHM_Technologies_PLC.pptCHM_Technologies_PLC.ppt
CHM_Technologies_PLC.ppt
 
FE_Technologies_PLC.ppt
FE_Technologies_PLC.pptFE_Technologies_PLC.ppt
FE_Technologies_PLC.ppt
 
Ls catalog thiet bi tu dong master p 5000-e_dienhathe.vn
Ls catalog thiet bi tu dong master p 5000-e_dienhathe.vnLs catalog thiet bi tu dong master p 5000-e_dienhathe.vn
Ls catalog thiet bi tu dong master p 5000-e_dienhathe.vn
 
Ls catalog thiet bi tu dong master p 5000-e
Ls catalog thiet bi tu dong master p 5000-eLs catalog thiet bi tu dong master p 5000-e
Ls catalog thiet bi tu dong master p 5000-e
 
Wireless fuel level sensor using rfid
Wireless fuel level sensor using rfidWireless fuel level sensor using rfid
Wireless fuel level sensor using rfid
 
A PROJECT ON scada.pptx
A PROJECT ON scada.pptxA PROJECT ON scada.pptx
A PROJECT ON scada.pptx
 
Vfd
VfdVfd
Vfd
 
automation,vfd,plc,scada overview
automation,vfd,plc,scada overviewautomation,vfd,plc,scada overview
automation,vfd,plc,scada overview
 
automation,vfd,plc,scada overview
automation,vfd,plc,scada overviewautomation,vfd,plc,scada overview
automation,vfd,plc,scada overview
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G Mgt
 
Automation(plc&scada)
Automation(plc&scada)Automation(plc&scada)
Automation(plc&scada)
 
Catalogo_CoTrust mail.pdf
Catalogo_CoTrust mail.pdfCatalogo_CoTrust mail.pdf
Catalogo_CoTrust mail.pdf
 
An Overview of PLC
An Overview of PLCAn Overview of PLC
An Overview of PLC
 
SCADA PPT.pdf
SCADA PPT.pdfSCADA PPT.pdf
SCADA PPT.pdf
 
CONCEPT OF SCADA.pdf
CONCEPT OF SCADA.pdfCONCEPT OF SCADA.pdf
CONCEPT OF SCADA.pdf
 
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System  EMERSON EDUARDO RODRIGUESCONCEPT OF SCADA System  EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
 
An Entire Concept of Embedded systems
An Entire Concept of Embedded systems An Entire Concept of Embedded systems
An Entire Concept of Embedded systems
 
An entire concept of embedded systems entire ppt
An entire concept of embedded systems entire pptAn entire concept of embedded systems entire ppt
An entire concept of embedded systems entire ppt
 
RFID Based Toll Gate System
RFID Based Toll Gate SystemRFID Based Toll Gate System
RFID Based Toll Gate System
 

Mehr von Marina Krotofil

CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloadsfor ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloadsfor ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...Marina Krotofil
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017Marina Krotofil
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017Marina Krotofil
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016Marina Krotofil
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMarina Krotofil
 

Mehr von Marina Krotofil (8)

Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3Dhs icsjwg 2015_v3
Dhs icsjwg 2015_v3
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloadsfor ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloadsfor ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017S4 krotofil afternoon_sesh_2017
S4 krotofil afternoon_sesh_2017
 
S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017S4 krotofil morning_sesh_2017
S4 krotofil morning_sesh_2017
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control Systems
 

"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control Systems

  • 1. Anatomy of Data Integrity Attacks in Industrial Control Systems Marina Krotofil & Chris Sistrunk “MAN-IN-THE-SCADA”:
  • 2. About us  Mostly on offence side  7 years in process control security research  On and Off 13 years in security  Mostly on defense  >10 years experience in power engineering  8 years in security Specialization: Process Control MK CS Specialization: Power Sector
  • 3. Setting Context Industrial Control Systems and Cyber- Physical Hacking
  • 4. Industrial Control Systems Information Technology (IT) Operational Technology (OT) boss boss Know how to run Win95 Always blamed Helpless desk Physical application
  • 7. Most frequently assumed scenario CONTROL SYSTEM OPERATOR CONSOLE PROCESSOPERATOR
  • 8. Why?  Insecurity by design of majority of industrial protocols  Mechanics of MITM attack is well understood and tons of tools are readily available (almost Plug&Play)  We simply DON’T KNOW BETTER (yet)
  • 9. Let’s look into the packet (2) Ugh :-( I need protocol parsers. I knew it! ???
  • 10. Let’s look into the packet (3)
  • 11. Let’s look into the packet (4) Relative humidity Temperature (F) ???
  • 12. Let’s look into the packet (5) https://ask.wireshark.org/questions/59670/extract-particular-register-from-series-of-modbus-packets
  • 13. Let’s look into the packet (6)
  • 14. Let’s look into the packet (7)
  • 15. Let’s look into the packet (8)
  • 16. Who can guess it best? o Donuts? (Ok, it was a joke) o Can be − Direct measurement − Result of computation o Bit counts/%/EU o Celsius/Fahrenheit o Centimeters/meters/miles/light years o Pa/kPa/mPa/Psia/Psig/Atm/Bar o Kgh/m3h/nm3h/scmh/kscmh o Keep guessing…. EU -> Engineering Units PV PV aux calc
  • 17. New Information to Build New Assumptions Configuration of a Single point
  • 18. Operates on raw data Operates on information Purdue reference architecture http://krakenautomation.com/images/KrakenPyramid.jpg
  • 19.  Raw sensory data rarely can be used directly. The electrical output of a sensing element is usually small in value and has non-idealities such as offset, sensitivity errors, nonlinearities, noise, etc.  Raw transducer output is subjected to signal conditioning such as amplification, filtering, range matching, etc. Raw measurement
  • 20. Point configuration 40-100 psi 0-8000 kg/h Sensor calibration: e.g. measuring from 0 to 32 m3/h Low and High limits: LO 10 m3/h HI 25 m3/h +/-10 V dc 0-10 V dc 0-5 V dc 4-20 mA 12 bit ADC resolution (defines the quality of data translation) Everything what can be measured or set is called POINT 0-70 m3/h 0-32 m3/h I/O card with ADC I/O card with ADC I/O card with ADC I/O card with ADC 1 0 1 0 1 1 1 0 1 0 0 1 1 0 1 0 1 1 1 0 1 0 0 1 1 0 1 0 1 1 1 0 1 0 0 1 1 0 1 0 1 1 1 0 1 0 0 1 4-20 mA,0-4095
  • 21. Point configuration 55 psi 7000 kg/h Sensor calibration: e.g. measuring from 0 to 30 m3/h Low and High limits: LO 10 m3/h HI 25 m3/h +/-10 V dc 0-10 V dc 0-5 V dc 4-20 mA 12 bit ADC resolution (defines the quality of data translation) Everything what can be measured or set is called POINT 35 m3/h 20 m3/h I/O card with ADC I/O card with ADC I/O card with ADC I/O card with ADC 1 1 0 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 0 0 1 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 14 mA,3017 18 mA 12 mA2048 3583 8 mA1024
  • 22. Scaling of data into useful units Raw counts are scaled into useful units, which could be different to different data users Raw data Engineering Units 3017 2048 1024 3583 7000 20 3,79 35scaling Psi->barm3/h m3/h kg/h
  • 23. Conversion of raw data into EU 0mA 21mA 20mA4mA 4095 counts 100% in engineering units 0% in engineering units 4095 counts Offset Over range 1 2 Data scaling is case-specific Current EU values 3 mA -6,25% 4mA 0% 12mA 50% 20mA 100% 21mA 106,25% 20mA4mA
  • 24. Learning More from Use Cases Use Case1: Power Substation
  • 25. Measuring power line Chris Sistrunk at Power Substation
  • 26. 115kV Bus 34.5kV Bus Power Transformer Breaker A Line 200 Feeder 11 Feeder 12 3-Element Transducer 3Ø, Wye + DC - 90 MW 114 kV 468 Amps to Relays, Panel Meter, & SCADA RTU, HMI CT PT Measuring power line 1200:5 Current Transformer 1000:1 Potential Transformer Properly select PT and CT ratio to allow some % of overload on the circuit, so the measurements will not top out at 100% when the actual values are higher.
  • 27. Level 5 – Enterprise Network Level 4 – IT Apps, Outage Mgmt, Billing DMZ – Mirror Historian, Applications Level 3 – EMS, Historian Level 2 – Front End, SCADA Master Level 1 – Transducer, Meter, RTU Level 0 – CT, PT XDUCER RTU FEP SCADA HIS HIS OMS D a t a F l o w EMS Measuring power line SCADA Wide Area Network
  • 28. Power substation equipment  Typically multivendor  Non-homogeneous configuration requirements  Decentralized configuration  Requires careful integration  Often (still) old equipment and networks with limited resources and bandwidth
  • 29. Level 0  MW Engineering Limit = (PT ratio) * (CT ratio) * (Transducer Multiplier) * (Line Connection Type) = (1200/5)(1000)(1500)(1)/1000000 = 300MW  Transducer Output Range = 0 to +/-1mA  0 – +/-300MW/mA scale If transducer output = 0.25mA, then 0.25*300 = 90 MW xLINE – initial (measured) value m, b – scaling factor and offset for each time the data moves from one device to another Transducers may be: 0 – 1mA or 4 – 20mA (which require an offset b) PT CT ySCADA = m*xLINE + b
  • 30. Level 1  RTU Analog input card (16-bit Analog to Digital Converter) 15 bits plus +/- sign bit -32768 to +32767 counts = -1mA to 1mA = 300MW/mA +90 MW = .25*32767 = +8192 counts  RTU Database = same size  90MW is stored as +8192 bits (+25% of db)  SCADA Protocol has 12-bit bipolar analogs (-2048 to 2047 counts) SCADA protocol value MW = .25*2047 = 512 counts RTU SCADA protocol RTU DB
  • 31. Level 2  +512 bipolar counts from RTU to Front End Processor on a 12-bit protocol (0 – 4095) 1 count = 300MW/2047 = 0.073242 MW per count unipolar (remember MW is a bipolar value) The FEP has to shift the bipolar value to a unipolar value to store it in the database!  FEP database value = 512 incoming counts + offset of 2048 = 2560 counts FEP database = 16 bits = 0 – 32767 counts 2560 counts / 65535 counts = 0.039063 = 3.906309%  SCADA database = 32 bits = 0 – 4294967295 counts 3.906309% * 4294967295 = 167774307 counts FEP SCADA DB AND SO ON….
  • 32. Level 5 – Enterprise Network Level 4 – IT Apps, Outage Mgmt, Billing DMZ – Mirror Historian, Applications Level 3 – EMS, Historian Level 2 – Front End, SCADA Master Level 1 – Transducer, Meter, RTU Level 0 – CT, PT XDUCER RTU FEP SCADA HIS HIS OMS D a t a F l o w EMS Interpreting power data 512 counts 2560 counts 167774307 counts
  • 33. Reverse engineering process data Post-Exploitation: engineering attack tools Exploitation: traditional IT hacking tools
  • 34. Obtaining point configuration  From the individual devices (e.g. RTU, FEP, DB, etc.) − May or may not be easy/rational thing to do  From servers  From individual config files on workstations http://data.proidea.org.pl/confidence/ 9edycja/materialy/prezentacje/FX.pdf
  • 37. Excel sheets of helpful engineers
  • 38. Learning More from Use Cases Use Case2: Distributed Control System (DCS)
  • 39. Typical architecture o Single vendor o Homogeneous configuration requirements o Centralized configuration from the DCS server Regulatory control Supervisory control
  • 40. Typical data scaling Sensors IO card with ADC Controller 4-20 mA X bits -> 0-100% 4-20 mA –> X bits 0-100% -> EU Floating point Protocol Level 0 Level 1 Level 2 http://steve.hollasch.net/cgindex/coding/ieeefloat.html IEEEStandard754 FloatingPointNumbers Floating point
  • 41. Point configuration Point configuration is loaded into controller and stored on a DCS server
  • 42. Point configuration Point configuration is loaded into controller and stored on a DCS server
  • 43. Point configuration Point configuration is loaded into controller and stored on a DCS server
  • 44. Point configuration Point configuration is loaded into controller and stored on a DCS server
  • 45. Retrieving point configuration  Directly from the controller − DCS controllers are not easily obtainable to the attacker for analysis  Get access to engineering station and grab the project folder of interest − Manual search, inconvenient  Query config from DCS Config DB − Hundreds and hundreds of tables − Some DB entries may not have descriptions -> need to find the “manual” P.S. Honeywell’s manual on controller parameters is 2478 pages long. Happy reading!
  • 50. Learning More from Use Cases Miscellaneous : What’s Different Plant by Plant
  • 51. Diversity of architectures  Plant is rarely operated with a help of a single DCS − Different plant units are operated by different DCSs, often of different vendors − Some units are operated by the PLC-based architectures − Old/legacy pieces of equipment  Smaller plants or utilities are operated by non-homogeneous- vendor equipment configured by multiple integrators  Specialized equipment or applications
  • 52. Diversity of data scaling & formatting  Data scaling and formatting depends on multiple factors − Experience years of the control engineer − Equipment/application/protocol constraints − Requirements to data quality − Data normalization − Best practices (sometimes country/continent-dependent) − Customer preferences We interviewed more than 10 control engineers from multiple industries of different work experience globally
  • 53. Configurations can be customized tailored to meet the scaling needs of a tremendous range of equipment and applications Data loggers
  • 54. Anatomy of the Cyber-Physical Attack From Script-Kiddie to Competent Attacker
  • 55. Source:simentari.com How to make this place going up in smoke?
  • 56. Cyber-physical attack Manipulate the process Prevent response Direct Indirect 1 2 Operators Control system (including safety) Blind Mislead Modify operational/safety limits Cyber-Physical attack Capture process feedback Set point change; manipulation of actuators Deceiving controller/ operator about process state Direct Estimated or Derived Direct observation of process values From existing measurements or calculations Most critical to success & hardest to achieve 1.1 1.2 Not easy as well
  • 58. State estimation in power sector https://credc.mste.illinois.edu/applet/pg P.S. Hire Ruben Santamarta to hack the SE http://shinnai.altervista.org/papers_videos/STATG.pdf -666 MW  State Estimator (SE)  Kirchoff’s Current Law – Current flowing into a substation, group of substations, or a grid must equal current flowing out
  • 59. State estimation in power sector  State Estimator (SE)  Kirchoff’s Current Law – Current flowing into a substation, group of substations, or a grid must equal current flowing out P.S. Hire Ruben Santamarta to hack the SE http://shinnai.altervista.org/papers_videos/STATG.pdf Substation 2 -1034 MW +1000 MW -266 MW +300 MW 0 MW https://credc.mste.illinois.edu/applet/pg
  • 60. Losing visibility into data  The attacker pushes the process outside of normal operational envelope − She may lose visibility into process measurement  Sensor calibration; signal clamping; truncation  Data scaling − E.g. during process probing the attacker will make small changes to the process which may get “lost in translation” http://www.indiana.edu/~emusic/361/images/digitalaudio-clipping.png 5000089 -> scaled into 0-4095 5000089 -> floating point 5*106
  • 61. Losing visibility into data  The attacker pushes the process outside of normal operational envelope − She may lose visibility into process measurement  Sensor calibration; signal clamping; truncation  Data scaling − E.g. during process probing the attacker will make small changes to the process which may get “lost in translation” http://www.indiana.edu/~emusic/361/images/digitalaudio-clipping.png 5000089 -> scaled into 0-4095 5000089 -> floating point 5*106
  • 62. Where to monitor  From the attacker standpoint single monitoring point is preferable  By all means, the most hacker-friendly way to monitor process data in (RT)DB or Historian http://blog.dataparcsolutions.com/process-data-compression-why-its-a-bad-idea  Historians typically rely on data compression for storage space optimization − “Unimportant” data is removed
  • 63. Raw data vs. processed/translated data http://www.the-amateur-photographer.com/raw-vs-jpeg/ http://photographersconnection.com/should-you-photograph-in-raw-or-jpeg-lets-settle-this/ IT DEPENDS Raw vs JPEG
  • 64. Where to monitor  The problem with data compression is that data LOST FOREVER − Missing data is interpolated  Historical data might not be appropriate for a feedback loop, especially for high precision attack − Because of lost data fidelity http://blog.dataparcsolutions.com/process-data-compression-why-its-a-bad-idea
  • 65. − Query controllers for config data − R/W configurable parameters − Query process data; monitor alarms − Issue control commands (if configured) − In short, OPC allows achieving almighty privileges with minimal hacking efforts OLE for Process Control (OPC) HAVEX: Using OPC, the malware component gathers any details about OPC server and connected field devices and sends them back to the C&C. https://ics-cert.us-cert.gov/alerts/ICS- ALERT-14-176-02A
  • 66. Key Takeaways Turning this audience into ICS Superheros
  • 67. Study the application under protection  Once the access is gained to ICS infrastructure, the attack still needs to be performed − We need to do more applied research on understanding what the attacker needs to do and why IT security (cyber-security -> taking over the infrastructure) ICS/SCADA security OT security (causing impact on the operations -> process and equipment) Man-in-the-Middle Man-in-the-SCADA
  • 68.  Everything what is marked as must be protected more conservatively than the prisoners in high-security correctional facilities − Lock away config files, monitor access − Harden DCS/SCADA servers − Upgrade OPC to OPC UA (please)  There are PERCEIVED and REAL threats in ICS world. We need to challenge the assumptions about perceived threats Key Take Aways  Successful MITM attack requires a great deal of knowledge about data point configuration − It involves extensive reconnaissance and specialized knowledge
  • 69. Goal: New line of thinking  Understanding point configuration fundamentals reveals an additional attack surface  Instead of modifying data directly Never Trust Your Inputs: Causing ‘Catastrophic Physical Consequences’ from the Sensor (or how to fool ADC) A. Bolshev & M. Krotofil. Black Hat Asia 2016 Analog control loop Control PLC Actuator Safety PLC/ Logger/DAQ 0V (actuator is OFF) 1.5V (actuator is ON)Analog control loop HMI− Change sensor calibration or its range. Good for alarm suppression and blinding operators & controllers Taking advantage of point config 1 2 Modify the configuration of the data point Take advantage of it