industrial control systems securityseido-lab.com/.../2016/...security-workshop-seido.pdf · ๏...

Ziad IsmailJean LeneutreAlia Fourati

December 11, 2015

Industrial Control Systems Security

Optimizing Security Policies

Workshop SEIDO - December 11, 2015 |

SMART GRID

2

POWER&SYSTEM&AUTOMATION!

DEMAND&RESPONSE!Real&'me!pricing!informa'on!to!consumers!to!manage!power!consump'on!ADVANCED&METERING!

Two&way!communica'on!between!the!customer!and!the!u'lity!company!

PLUG4IN&HUBRID!Enable!smart!charging!for!plug&in!electric!vehicles!

DISTRIBUTED&ENERGY&RESOURCES!Small!power!sources!that!can!be!aggregated!to!provide!power!necessary!to!meet!regular!demand!

STORAGE!Energy!generated!at!off&peak!'mes!is!stored!for!later!use!

Outage!isola'on!and!restora'on!


INDUSTRIAL CONTROL SYSTEMS

3

๏ A large scale management system to control equipment remotely and to process a very large number of measures in real time

๏ In general, it consists of:

- Field data interface devices (RTUs, PLCs) which interface to field sensing devices

- A central host computer server or servers

- A communication system to transfer data from field data interface devices to the central host computer

- A Human Machine Interface (HMI)

๏ Long life cycles

๏ Legacy serial protocols (DNP3, Modbus) were adapted to be used on IP-based ICS networks

IN A NUTSHELL


0%!

5%!

10%!

15%!

20%!

25%!

30%!

35%!

40%!

45%!

50%!

ICS-CERT Published

Vulnerabilities!

2009-2010 CSSP ICS Product Assessments!

2004-2008 CSSP ICS Product Assessments!

Improper Input Validation!

ICS Security Configuration and Maintenance!

Credentials Management!

Improper Authentication!

Permissions, Privileges, and Access Controls!

4

Comparison of ICS software security weaknesses*

*Source: Common Cybersecurity Vulnerabilities in Industrial Control Systems, DHS 2011.

0!

50!

100!

150!

200!

250!

2001! 2002! 2003! 2004! 2005! 2006! 2007! 2008! 2009! 2010! 2011!

ICS Specific Vulnerabilities in the Public 2001-2011

INDUSTRIAL CONTROL SYSTEMSDISCLOSED VULNERABILITIES


Hign!65%!

Medium!35%!

Energy!54%!

Critical Manufacturing!

16%!

Communications!5%!

Water!4%!

Transportation!5%!

Nuclear!3%!

Other!12%!

5

Cyber Incidents reported to ICS-CERT 2013 Common Vulnerability Scoring System (CVSS) Severity of ICS related vulnerabilities in 2013

INDUSTRIAL CONTROL SYSTEMSCYBER INCIDENTS


ICS SECURITY

6

๏ Use of off-the-shelf operating systems increases the attack surface

๏ Unsupported legacy software

๏ Number of equipment that can be accessed remotely has significantly increased

๏ Fixed maintenance schedules prevents quick preemptive actions to secure the system

๏ Sometimes, 99.999% or greater ICS uptime is required (<5min 35s per year for any reason)

๏ A quick response can be very challenging if it affects hundreds of sites at once

๏ We need to take into account the vulnerability footprint: deployment, exposure, impact, simplicity

INTRODUCTION


ICS SECURITY

7

IT patch management

Baseline Assess

ResolveMonitor

• Policy

• Asset Inventory

• Service Dependency

• Standards

• Vulnerability assessment

• Threat/Risk assessment

• Planning

• Prioritization

• Remediation

• Monitor

• Upgrade system


ICS SECURITY

8

Industrial patch management

Baseline Assess

ResolveMonitor

• Policy

• Asset Inventory

• Service Dependency

• Standards

• Vulnerability assessment

• Threat/Risk assessment

• Planning

• Prioritization

• Remediation

• Monitor

• Upgrade system

Exhaustive, cannot be done frequently

Which criteria?

Difficult, impractical

Takes a lot of time

Based on process, security, safety?

How?

Based on what?

Workshop SEIDO - December 11, 2015 | 9

๏ Propose a method and tools for defining defense strategies well-suited to the context of industrial control systems

- Taking into account time and topological constraints

- Limited defense budget

๏ It is important to consider the following dimensions:

- Relational: dependencies that exist between equipment and the services in the system to best predict the potential impact of cyber attacks

- Financial: the cost and the payoff of attacks and defense strategies

- Temporal: time needed to execute one or a sequence of attacks in order to reach a target in the system

ICS OPTIMAL SECURITY POLICYOBJECTIVE


ICS OPTIMAL SECURITY POLICY

10

OBJECTIVE๏ Types of impacts taken into account:

- Financial: economic consequence of compromising an equipment or a service

- Environmental: impact on the environment

- Human: impact of an attacker action on the physical security of personnel

๏ Deploy security countermeasures in order to:

- Minimize the impact of attacks

- Maximize the time needed for an attacker to compromise a critical equipment or service

- Minimize the probability that the attacker successfully compromise a critical equipment or service

- Ensure that financial, environmental, and human impacts remain within defined tolerated thresholds



11

EXAMPLE

WAN

Data Concentrator Unit

Smart Meters

Head-end System

SCADA Control Center Enterprise Network

SCADA Historian

Energy Management

System

Distribution Management

System

Outage Management

SystemControlServer

Engineering Workstation

SCADAHMI

Administrator Workstation

Meter Data Management

System

Work Management

System

Customer Analytics Server

Operations Analytics Server

Firmware Update Server

Geographical Information

SystemBilling

SystemCustomer

Information System

Load Forecasting

Application Server

Operator Workstation

ClientCommunication

Server Database

Firewall F3 Firewall F4

Firewall F2

Firewall F1

Customer Portal


ATTACK GRAPH GENERATION

12

EXAMPLE Cont.

While attacking the system, the attacker could face the following scenario



12

EXAMPLE Cont.

Node Aarrive (ta)

exploit vul. 1

exploit vul. 2

exploit vul. 2

exploit vul. 1

service s1 service s2

service s2 service s3

service s3

Node B

t2

t4

t3

t5

service s3service s1

service s5

While attacking the system, the attacker could face the following scenario



13

CHALLENGES

How to choose the optimal set of vulnerabilities that needs to be

patched?

Security objectives: availability and integrity of services

Take into account services dependencies

Evaluate the time needed to compromise an

equipment or a service

Impact of attacks depends on the profile of the

attacker

How to choose the optimal patching

schedules?How to assess the impact of an attack on the industrial

process?



14

APPROACH

1 2

Attack Graph Security Strategy

Generate a timed

probabilistic attack

graph. Three layers: network layer, service

layer and attack

execution layer

Generate the optimal patch strategy that best guarantees the

security objectives taking into account services dependencies



15

MODEL LAYERS

1 Service LayerRepresents dependencies between services

2 Network LayerRepresents machines and contains topological information about the system

3 Attack Execution LayerContains the set of rules describing the progress of the attacker in the system

Acces

s

Human

-acce

ss

Scan

Explo

it



16

ATTACK EXECUTIONS

1

3

2

4

5

6

7

8

9

State A State B

n_access

scan

n_access

exploit

exploit

n_access

exploit

exploit

n_access

exploit



17

PERFORMANCE

๏ A proof of concept have been implemented in C++

๏ More than 10 000 lines of code (including finding the optimal security policy)



17

PERFORMANCE



๏ How about performance?



17

PERFORMANCE



๏ How about performance?

0

25

50

75

100

30 39 48 57 66 75 84

Number of equipment

Ave

rage

tim

e (s

ec)



18

PERFORMANCE



18

PERFORMANCE

๏ What happens when we limit the number of actions that the attacker can execute in each attack path?



18

PERFORMANCE

0

10

20

30

40

30 39 48 57 66 75 84

๏ What happens when we limit the number of actions that the attacker can execute in each attack path?

Ave

rage

tim

e (s

ec)

15 20 30

Number of equipment

0

0.375

0.75

1.125

1.5

30 51 72 93 125 200

10

Ave

rage

tim

e (s

ec)

Number of equipment



19

In practice, the attack graph will look something like this

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

�� !��

��

��



19

In practice, the attack graph will look something like this

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

�� !��

��

��

Too complex to be manually analyzed



20

APPROACH

๏ We are trying to answer the following questions:

- At a given moment, the attacker was able to gain certain access to my network, how do I protect the system while anticipating all future attack attempts?

- Or, at a given moment, I know that the attacker is trying to execute a certain action, what should I do?

๏ Solution: Use the information in the generated attack graph and the available security countermeasures to create a Markov Decision Process (MDP) model

๏ Define a security objective and a set of constraints that needs to be satisfied and solve a Constrained Markov Decision Process (CMDP) problem

๏ The solution of the CMDP problem can be used to:

- Assist the asset owner in optimizing the response to intrusions

- Prioritize the deployment of security countermeasures in the system (patching vulnerabilities, deploying intrusion detection systems, etc.)



21

CASE STUDY

WAN

Data Concentrator Unit

Smart Meters

Head-end System

SCADA Control Center Enterprise Network

SCADA Historian

Energy Management

System

Distribution Management

System

Outage Management

SystemControlServer

Engineering Workstation

SCADAHMI



System

Work Management

System





SystemBilling

SystemCustomer

Information System

Load Forecasting

Application Server

Operator Workstation

ClientCommunication

Server Database

Firewall F3 Firewall F4

Firewall F2

Firewall F1

Customer Portal

��

��

��

��

��

��

� �

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

�

��

��

��

��

��

��

��

�

��

�

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

Services dependencies



22

CASE STUDY

๏ Scenario 1: minimize the cost of deploying security countermeasures if the attacker can get access to the enterprise network



System

Work Management

System





System

BillingSystem

Customer Information

System

Load Forecasting

Customer Portal

Priority



23

CASE STUDY



System

Work Management

System





System

BillingSystem


System

Load Forecasting

Customer Portal

๏ Scenario 2: minimize the cost of deploying security countermeasures if the attacker can get access to the enterprise network while setting constraints on the maximum tolerated residual risk on the system

Priority



24

CASE STUDY



System

Work Management

System





System

BillingSystem


System

Load Forecasting

Customer Portal

๏ Scenario 1: minimize the cost of deploying security countermeasures if the attacker can get access to the enterprise network

Priority

Patch

HIDS



25

CASE STUDY



System

Work Management

System





System

BillingSystem


System

Load Forecasting

Customer Portal

Patch

HIDS

๏ Scenario 2: minimize the cost of deploying security countermeasures if the attacker can get access to the enterprise network while setting constraints on the maximum tolerated residual risk on the system

Priority


FUTURE WORK

26

๏ Study cooperation (sharing of credentials, expertise, etc.) between multiple attackers and its effect on the success of their objectives

๏ Propose security hardening solutions:

- Find the critical set of knowledge items that once an attacker possesses, he can cause a significant impact on the system, and therefore must be protected

- Propose a hybrid hardening solution that includes: patching certain vulnerabilities, enforcing access control, monitoring sensible locations, etc.

Workshop SEIDO - December 11, 2015 | 27

APPENDIX


INDUSTRIAL CONTROL SYSTEMS

28

๏ In 2009, RATs were distributed on Exon, Shell, BP, etc. networks

๏ In 2010, a cyber attack targeted Iran's Natanz nuclear facility

๏ In 2012, a cyber attack targeted Iran’s main oil export terminal Kharg Island and its oil ministry

๏ In 2012, a major cyber attack aimed at American natural gas pipeline companies

๏ In 2014, a cyber attack attack on the computer network of a German steel mill that resulted in massive damage

๏ It has been revealed recently that the 2008 Turkey pipeline blast was a result of a cyber attack

๏ In 2014, Dell saw 202,322 SCADA attacks in Finland, 69,656 in the UK, and 51,258 in the US

RECENT ATTACKS


STATE OF THE ART

29

๏ Modeling services dependencies

- Impact of attacks on services using dependency graphs were modeled independently of the attack process [DKCC10]

- Anticipation Games [B08]: dual-layer structure, model services dependencies and interactions between an attacker and a defender (no-memory strategy)

๏ Combining attack graphs with a model of services dependencies [AJPS11]

- No clear separation between the infrastructure and the service layers

- A problem arises when multiple services and multiple vulnerabilities exist on a node

- Attacks taking advantage of access control policies are difficult to be represented (attack graph based on exploit dependency graph)

๏ Security hardening

- Identify the minimum number of exploits to remove [AWK02] [SHJLW02]

- Eliminate the minimal set of edges to prevent attacks [JNKAW11]


ATTACK EXECUTION MODEL

30

DEFINITIONS

Attack Execution Model

An attack execution model is a the tuple ⟨G, D, Γ, X , K, Ξ⟩ where:

• G = ⟨V, E, h⟩ is a multi-layered graph representing 2 types interconnections (network-based, human-based) between equipment

• D = ⟨∆, →⟩ is a services dependency graph where → is a binary relation

• Γ: set of vulnerabilities

• X: set of attackers targeting the system

• K: set of knowledge items

• Ξ: set of rules



31

DEFINITIONS

Graph Node

A node i in the graph G refers to a machine and is represented by the tuple = ⟨Γi, ∆i, Win, {αi

h,

βih, μih }⟩ where:

• Γi = {γk}: set of vulnerabilities on the machine

• ∆i = {δk}: set of services running on the machine

• Win: security asset of node i

• Host-based IDS characteristics: detection rate μih , false positives rate αi

h and false

negatives rate βih



32

Service

A service δi is defined as the tuple ⟨{(li, kic)}, Wi

s⟩ where:

• {(li , kic )}: access levels and credentials required to use/access the service

• Wis: impact of the service

Knowledge Items

The set of knowledge items K is represented by the tuple ⟨Ka,Kc,Kt⟩ where:

• Ka = ⟨V , E ⟩: information about machines and their interconnections

• Kc = {(vi , ci )|vi ∈ V }: set of credentials on machines

• Kt: set of specific tools and expertise needed to exploit vulnerabilities

DEFINITIONS



33

DEFINITIONS

Vulnerability

A vulnerability γij is represented by the tuple ⟨φpre,φpost⟩ where:

• φpre = {b, l, s, k}: set of preconditions

- b = {0, 1}: remote or local

- l: level of access required to exploit the vulnerability

- s: skill level required to exploit the vulnerability

- k ⊂ K: set of knowledge items needed to exploit the vulnerability

• φpost = ⟨{ld′}, k′⟩: set of postconditions

- ld′: set of acquired access levels

- k′ ⊂ K: set of acquired knowledge items



34

DEFINITIONS

Attacker Profile

An attacker is any type of adversaries targeting the system. An attacker i is represented by the tuple ⟨πi, si, Ri, ki⟩ where:

• πi: type of the attacker (hacker, nation state, insider attacker, etc.}

• si: skill level of the attacker

• Ri: attack preferences

• ki: set of knowledge items the attacker possesses



35

RULES

4 types of rules that could be executed by an attacker x:

๏ ξexploit(x,γij): Pre φpre → [te, c, ρ], Post φpost to exploit a vulnerability γi

j = ⟨ωi, τj , φpre, φpost⟩

in te time with a cost c and a payoff ρ

๏ ξscan(x): Pre ⟨R, K⟩ →[ts ,c], Post ⟨Γ, K⟩

๏ ξaccess(x): Pre ⟨V, L, K,V⟩ → Post L

๏ ξhuman−based access(x): Pre ⟨V, L, K, V⟩ →[tma], Post L



36

DEFINITIONS

Atomic Attack Execution

An atomic attack execution is a couple (Ξi,vi) where Ξi is a rule executed on node vi.

Attack Execution

Let P be the set of all attack executions within [0,M]. An attack execution pi ∈ P is a tuple ⟨(Ξi, vi), qi, >⟩ where > is a strict order on atomic attack executions.

industrial control systems securityseido-lab.com/.../2016/...security-workshop-seido.pdf · ๏...

Documents