cyber security research on industrial control systems. dr. s. m. yiu... · cyber security research...
TRANSCRIPT
![Page 1: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/1.jpg)
Cyber Security Research on Industrial Control Systems
SM Yiu Department of Computer Science
The University of Hong Kong
1
Cyber-security for industry 4.0 conference 23 June, 2017
![Page 2: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/2.jpg)
2
Will the followings only be seen in movies?
Movies: Cyber Hacking (2015); Italian Job (2003)
![Page 3: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/3.jpg)
3
IT IS REAL!
(Defcon Hacking conference 2014)
![Page 4: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/4.jpg)
4
2016 (US): 295 reports of ICS attacks (20% )
Mar: New York dam (control system accessed) April: German nuclear power plant (malware) Light-rail system, ….
![Page 5: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/5.jpg)
5
The purpose of the talk is to raise the awareness of the community on the security
issues of ICS.
![Page 6: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/6.jpg)
6
Key components of an ICS (Guide to Industrial Control System (ICS) Security, NIST, 2015)
![Page 7: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/7.jpg)
7
Numerous attack points
SCADA – a typical ICS (Guide to Industrial Control System (ICS) Security, NIST, 2015)
![Page 8: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/8.jpg)
8
PLC (programmable logic controller)
- A small digital computer used for automation of various electro-mechanical process in industries.
- Specially designed to survive in harsh conditions
- Programs can be written in a computer and downloaded to PLC via a communication link (e.g. cable)
- “hard” real-time system: output produced in response to input conditions within limited time.
![Page 9: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/9.jpg)
9
Is PLC critical? In what systems they are used?
![Page 10: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/10.jpg)
10 Yueng Long Sewage Treatment system
![Page 11: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/11.jpg)
11
Ventilation Control and Monitoring System for Tunnel of subway/railway
(pictures from MTR report)
![Page 12: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/12.jpg)
How easy to hack in PLC?
• PLC are NOT secure:
PLC has no proper protection built in, no authentication nor encryption for the communication protocol.
Able to discover PLC by packet sniffing.
12
![Page 13: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/13.jpg)
Touch panel for floor selection
PLC to control the lift
![Page 14: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/14.jpg)
A Touch panel to control the lift
![Page 15: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/15.jpg)
Sensor to detect the current floor
![Page 16: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/16.jpg)
Switch that connects the PLC and Touch Panel
![Page 17: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/17.jpg)
The PLC that controls the Lift system
![Page 18: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/18.jpg)
Attack to the Lift System
19
Hacker
Connect to the PLC and control the lift directly
NO authentication
Q: Some engineers feel that it is not easy to connect to it because it is a “closed” system, do you agree?
Network capability
![Page 19: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/19.jpg)
Five attacks (4 with demos) 1. DoS attack
– 100 MB/s is already enough to disable PLC to receive any valid commands
– No advanced hacking knowledge needed.
Packet generation program – free from Internet
![Page 20: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/20.jpg)
2. Command injection attack –We connect to PLC directly and generate
random commands to PLC –A little bit more knowledge needed:
replay attack!
![Page 21: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/21.jpg)
3. Control the lift –Take control of the PLC, attacker can
order to lift to whatever level. –Understand the commands from touch
panel to PLC.
![Page 22: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/22.jpg)
4. Manipulate the sensor values –Actively modify the sensor values –More knowledge about the sensor
variables stored in PLC
![Page 23: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/23.jpg)
5. Time bomb: hack the traffic lights – Build a time bomb to turn both lights
for cars and pedestrian green at the same time ONCE A WHILE.
![Page 24: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/24.jpg)
25
Again, a real case in US (Dec 2015).
They examined the traffic light and performed forensic analysis on the PLC …........
![Page 25: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/25.jpg)
26
Surprisingly…..
Event/log Date/time Program last modified Dec 08 2015 3:05pm Program last compiled Dec 08 2015 5:46pm Program last uploaded (by engineer) Dec 08 2015 5:46pm Program last uploaded (by ????) Dec 26 2015 4:18am Accident Dec 26 2015 pm
![Page 26: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/26.jpg)
27
What we can do (our research directions besides attack) ?
- Build a protection layer * Difficulty: low processing power, limited memory/buffer of PLC.
- Add-in a forensic module * For detection and investigation.
![Page 27: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/27.jpg)
28
Building a protection layer
….......
E.g. firewall
(i)
(ii) Light-weight detection module inside the PLC.
Remark: We also have some interesting methods to do forensics (e.g. how to log the events with limited buffers/power)
![Page 28: Cyber Security Research on Industrial Control Systems. Dr. S. M. Yiu... · Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University](https://reader031.vdocuments.us/reader031/viewer/2022022803/5c847a3309d3f291698d057d/html5/thumbnails/28.jpg)
29
Acknowledgements
<Thank you>
Dr. KP Chow, leader of our research group Our talented research students/engineers - Raymond Chan * - Chun Fai Chan, Ken Yau - Han Yu, Bo Zhang, Yuan Zhang
Our partner: Cisco
** We are more than willing to collaborate with industry for related R&D problems **
Alex Choy, PolyU