attacker aproach for attacking ics
Post on 19-Oct-2014
492 views
DESCRIPTION
TRANSCRIPT
Attacker approach for Attacker approach for
attackingattackingattackingattacking
Industrial Control SystemsIndustrial Control Systems
ICS from an attacker viewICS from an attacker view
• Highly attractable – Large scale damage, Effects daily life
• Systems are based on old technology – Information security is not
built-in, Security elements are not system specific
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
built-in, Security elements are not system specific
• System infrastructure is complex and includes proprietary
protocols
• ICS serve dynamic process and need frequent adjustments and
maintenance
Attack type CategorizationAttack type Categorization
•• By Intention By Intention
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
•• By ScenarioBy Scenario
•• By System level being effectedBy System level being effected
IntentionIntention
Unintentional Unintentional -- worms, viruses , control system failures
or consequences caused by internal
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Intentional Intentional -- Deliberate/ planned attack
or consequences caused by internal
personnel or faulty mechanisms
Characteristics of an intentional targeted attackCharacteristics of an intentional targeted attack
• Requires detailed knowledge of the system and
supporting infrastructure
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
supporting infrastructure
• Directed to specific system elements and for a specific
outcome
• Almost always requires the help of an insider
• Code Will posses some control capabilities
Basic attack ScenarioBasic attack Scenario
• Center to Field
• Field to Center
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
• Field to Center
• Center to center
• Field to Field
System level being effectedSystem level being effected
• Global communication path
• HMI servers/stations
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
• Connection to filed elements
• HMI servers/stations
• PLC Memory/PLC logic
• PLC protocols
• IED elements signals
MotivationMotivation
• Terror
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
• Terror
• Getting an advantage in war situation
• Industrial espionage
Desired OutcomeDesired Outcome
• Alter
• Disrupt
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
• Deceive
• Degrade
• Destroy
• POC – Stage in attack tool dev.
• Building foundation for later use
Time lineTime line
• Immediate effect
• Short term effect
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
• Long term effect
• Creating and maintaining attack base
ControlControl
• Uncontrolled
• Unidirectional
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
• Bi directional
MeansMeans
• DOS – Applications, control elements Network elements, Servers
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
• Physical damage
• Damage to DATA and/or Information
• Building Foundation for later use
Scale of effectScale of effect
• Localized
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
• Localized
• Wide spread
• Cross infrastructures
Choosing targetsChoosing targets
HMI servers
Control centerControl center
Field ElementsField Elements
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
GWs, FEPs, MTUs
Data Base/ Historian
Controller (logic/OS/Memory)
Protocols
Network and communication elementsNetwork and communication elements
Field ElementsField Elements
• IEDs
• Field controllers
• FIU
Choosing Access pathChoosing Access path
Direct – Using local access to system elements (including use of
carriers)
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
carriers)
Indirect – Remote access Using network ,communication lines
Combined – local and remote access
scalescale
OutcomeOutcome
MeansMeans• Alter
• Disrupt
• Deceive
• Degrade
• Destroy • Localized
• DOS
• Damage to
Flow ChartFlow Chart
TargetsTargets
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Time lineTime line
Control typeControl type
Access pathAccess path
• Destroy
• POC
• Building
Foundation
for later use
• Localized
• wide spread
• Cross –
infrastructures
• Damage to
DATA and
Information
• Physical
damage
• Immediate
• Short term
• Long term
• Uncontrolled
• Unidirectional
• Bi directional • Direct Local
• Indirect -
Remote
• Combined
TargetsTargets
• Control center
• Network and
communication
• Controller
• Field elements
scalescale
OutcomeOutcome
• Alter
• Disrupt
• Deceive
• Degrade
• Destroy • Localized
• DOS
• Damage to
Flow ChartFlow Chart
TargetsTargets
MeansMeans
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Time lineTime line
Control typeControl type
Access pathAccess path
• Destroy
• POC
• Building
Foundation
for later use
• Localized
• wide spread
• Cross –
infrastructures
• Damage to
DATA and
Information
• Physical
damage
• Immediate
• Short term
• Long term
• Uncontrolled
• Unidirectional
• Bi directional • Direct Local
• Indirect -
Remote
• Combined
TargetsTargets
• Control center
• Network and
communication
• Controller
• Field elements
• Software architecture
– Two tier architecture - HMI and communication server are
installed on the same machine
Topology based scenariosTopology based scenarios
installed on the same machine
– Three tier architecture- HMI clients, HMI server and or
communication server are installed on different machines
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Basic ICS architecture
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
• Network architecture
– SCADA topology – PLC are installed across distributed,
Topology based attack scenarioTopology based attack scenario
– SCADA topology – PLC are installed across distributed,
large scale, wide area network, where the PLC might
operate using local logic commands.
– DCS , PLC and industrial control elements are installed on a
local area network , where most logic is installed on the
DCS software and not on the PLC.
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Attack vectorsAttack vectors
• Protocols based attacks
• PLC logic based attacks • PLC logic based attacks
• SCADA/DCS software based attacks
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Protocols +PLC Protocols +PLC
Two tier based attacks Two tier based attacks
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Software + PLC Software + PLC
Two tier based attacks Two tier based attacks
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Network two tier based attacks Network two tier based attacks
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Combined three tier based attacks Combined three tier based attacks
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Attack considerations Attack considerations
• Physical, logical or both
• SCADA ,DCS or mix
• Two tier or three tier
• method -Protocol or software
• Main targets
– HMI
– I/O server
– PLC
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Attack scenarios Attack scenarios
• Physical interrupt
• DCS
• Two tier
• Engineering workstation
• PLC logic change
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Attack Attack sequence sequence
• DCS software - technician laptop
• Protocol based attack
• Installed on the DCS control room main switch
• Step one : Proxy ARP manipulation - directing all
traffic from the HMI, engineering workstation to the
attacker laptop
• Attacker laptop will be used to intercept the
“command and utility” password
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Attack Attack sequence sequence
• With the utility and command password, the
attacker will gain access to the PLC main
management interface
• Current logic is downloaded
• New logic is uploaded
• The virtual PLC software on the laptop, imitates the
old logic operation transmitting the old Tag’s data to
the operators (Business as usual from operator’s
view)
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved
Attack Attack sequence sequence
• New PLC logic architecture
– Long term effect
– Low signature – Low signature
• Logic operation
• Steam turbine Vibration parameters modification
• When turbine start to vibrate out of the normal rate The
PLC shall transmit normal operation readings (This can go
on for years)
© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved