A Cyber-Resilient ICS Through Diversified Redundancy And Intrusion .

WWW.MWFTR.COMA Cyber-Resilient ICS through DiversifiedRedundancy and Intrusion Detection- Keynote Speaker Presentation -Charles Kim, Ph.D.ProfessorElectrical Engineering and Computer ScienceHoward UniversityWashington DCUSAckim@howard.edu1

Where is Howard? Founded in 1867Private University10,000 students2

Table of Contents Background – Cyber Vulnerabilities in IndustrialControl Systems (ICS) New Control System Architecture– Diversified Redundancy Incorporation of Intrusion Detection Validation Experimentation Conclusions3

Introduction Enhanced use ofnetworked(intelligent/smart)devices cyber securityvulnerabilities exploitedby hackers. IT side securitytechnique: Not adequatefor the attacks specific tocontrol system networks. Intrinsic weakness of thecommunication protocolsused by (legacy) controlnetworks and devices.4

Cyber Vulnerability in Industrial Control Systems (ICS) Connected Control Systems– No longer stand-alone: “no air-gap”– Connected to corporate networkvia Internet– open connectivity– Resulted in increase in Security vulnerability Unauthorized access and intrusion Malicious code manipulation Exploitation– Cyber security threats on ICS are ever increasing– Legacy systems developed forpre-Internet era are vulnerable to cyber attacks Ukraine (2015) – 1st Successful cyber attack on a powersystem5

Cyber attacks on ICS 2010 – Stuxnet – Nuclear Plant 2011 – Duqu – Malware for ICSattacks (similar to Stuxnet) 2012 – Black Energy – TargetsICS running GE products 2014 – Havex – Remote accessattacks in the energy sector 2015 – Attack on Ukraine PowerSystem 2016 – Attack on Ukraine MilitaryArtillery6

Cyber Vulnerability in ICS Bowman Avenue Dam, Rye Brook, NY. 2013Used the technique to identify an unprotected computer thatcontrolled sluice gates and other functions7

Cyber Vulnerability in ICS Google Search Process “Google Dorking” Point: Any tool can be used to hack8

Cyber Vulnerability in ICS - Stuxnet at Natanz Zero-Day Vulnerability: Weknow only what we know.9

Ukraine Grid Outage – Dec 23, 2015 US DHS assessment: Interview with6 Ukrainian organizations affected bythe blackoutDHS: “the December power outage inUkraine affecting 225,000 customersis the result of a cyber attack” thefirst U. S. government recognizedblackout caused by a malicious hackFirst known successful cyberintrusion to knock a power grid offlineBelieved to be staged by a Russianhacking group known as “Sandworm”10

Ukraine Grid Attack Affected by a lesserattack in October A similar type ofmalware has beenidentified as far back asJuly by an anti-virussoftware company Attackers must haveknown what softwarewas installed – byemails to workers withinfected Word or Excel Lesson: Difficultiesand Uncertainties11

U. S. Grid Outage Risk FERC(U. S. Federal Electric ReliabilityCouncil): “The U.S. could suffer acoast-to-coast blackout if saboteursknocked out just nine of thecountry's 55,000 electrictransmission substations on ascorching summer day”.How to protect US (and your) grid against hackers?12

IoT Vulnerabilities Botnet Attack– Web cams: password vulnerability etc. Victims– Dyn – internet infrastructure company (New Hampshire)– Internet Directory service shut down13

Your AC and Security Camera may be controlled by someone else Susceptibledevices Thermostatsand cameras14

Your refrigerator may be controlled by someone else Smartappliances15

Your kid’s toy may be controlled by someone else Smarttoys16

How hackers gain access Hacker’s 6 Steps - According to National Center ofCybersecurity1. Gain authorities of system manager through socialengineering and spy emails2. Remote entry to network through VPN (virtual privatenetwork), VNC (virtual network computing), and others3. Scan Intranet to know Operating Systems and terminals4. Copy malware files to one of the network computers tospread to other computers in the intranet5. Operate malware and worm software remotely usingGroup Policy or System Center Configuration Manager6. Damage: Deletion of Data, Destroy OS and SoftwareConfiguration, Encrypt Data17

In addition, Software Faults18

Complexity and software-related problems19

Software - Curse of Flexibility Easy change of computer function by easy change of software –flexible, quick and with low costerror introduction, complexity Success and Partial success– S/W: Difficult to build one that works under all conditions Possible to build one that works 90% of the time– Aircraft: Almost impossible to build a plane that flies 90% of the time20

Hidden Bugs in Trusted SoftwareOpenSSL Project: (Secure Sockets Layer) (Transport Layer Security)21

How errors were inserted22

Software Failure and Quantification Can software failure be quantified? Fault Density– “Software fault density”: the number of faults per unit of programsize: # of faults per lines of code– Empirical study with previous software projects Finding Implication:– A practical reality is that operational software developed usingcontemporary practices tends to exhibit a fault density of 2.2x10-3faults per line A software program must somehow be inherently faulted !!! ?23

Protective Relay S/W Vulnerability A bug in software used tocontrol the flow of electricityin a utility’s power system:Identified in a Black HatConference Remote control of GEprotection relays – “old GErelays introduced in the1990s” Patches for 5 of 6 modelsaffected by the vulnerabilities24

Present Approaches for ICS Hardening Basis - Cyber Security for IT systems Strategies and tools for––––Anomaly detectionIntrusion detectionNetwork access behavior analysisMitigation Strategy Problems––––May block some known attacks and attack vectorsPost-mortem approach after damages have been doneNo attack-proofExploitable vulnerabilities in ICS are real and, notaddressed timely, cause serious impacts to publicsafety and critical infrastructure25

Existing Control System [simple model] Sensors Actuators Enterprisenetwork26

Existing Control System [simple model] Hacker mayaccess to thecontroller andmanipulate theS/W27

Toward Cyber-Resilient ICS Cyber Insensitive– Operation Basis Hardware Redundancy– Supplementary control part (for “Safe-Mode”)– Unidirectional Communication for Situationalert Working under Compromised Situation– Fail-Safe or Fail-Operate– Resilience “Broken Part” Assumption28

System Regulator Under the “Broken System” Assumption Old Toilet Age Flooded floor every morning After moping, a toilet appearstrouble-free during the day Flooded floor again the nextmorning29

System Regulator Under the “Broken System” Assumption Busy Time – Flushes before water level goes above Night Hours – the effect of Valve Failure is realized30

System Regulator Under the “Broken System” Assumption How to design a toilet under theassumption that the gasket on the valve willeventually wear out?31

Architecture of Diversified Redundant Control System Network connectedPrimary ControllerIsolated SecondaryController – fullduplication or a part for“safe mode”Supervisor forOperation-BasisSupervisionUnidirectional ReportingCyber-Robust for– Common Virus– Man-in-the-middleattack– Stuxnet-like Worm32

Validation in Lab Experimentation Network Server: Internet Connected Laptop with IP 10.232.100.114Supervisor holds an operational data(base) in itSimple code: Read the DIP position and Send out corresponding LED on/off33

Validation in Lab Experimentation – Attack/Response Scenario (1) Engineer/Manager Credentials Stolen(2) Remote Access to the Network Server(3) Access to the Primary Controller Malicious Code Change(4) Supervisor Notices Operation Change(5) Transfer Control to the Secondary Controller34

Validation in Lab Experimentation35

Validation in Lab ExperimentationOpen VPN Attack– Made through Virtual PrivateNetwork (VPN)37

Validation in Lab Experimentation Attack– Hacker connects, usingRemote Desktop Tool ofthe Microsoft Windows, tothe remote Network ServerCertificate of Network Server38

Validation in Lab Experimentation Server Log OnDesktop of Network Server39

Validation in Lab Experimentation Code ChangeUpload the Revised CodeRun to code40

Validation in Lab Experimentation – New ArchitectureSupervisor’s Action:(1) Operation-Action mismatch recognized(2) Control Transfer to Secondary Controller(3) Twitter Message -- Simulation ofUnidirectional Alert41

Validation in Lab Experimentation Supervisor reports the situation to theenterprise system via a unidirectionalnetwork (Tweeting to the Twitter Account inthis lab experiment)42

Validation in Cybersecurity TestbedDETERlab (Cyber DEfenseTechnology ExperimentalResearch Laboratory) 400 computer nodes 10 network interfaces/node 200 active projects 6 power grid projects 2 Control Systems USC, UC Berkeley, and DHS/NSF43

Experimentation in DeterLab1. Inherent Problem: Isolated control devices such assecondary controllers and supervisors are notrepresented in DeterLab model2. Approach– Develop a Network Model inside DETER– Physical System of the Diversified Redundant ICS at HowardUniversity– Develop an interface between DETER and the real physicalSystem: Primary Controllera Node in DETER– In DETER, access/hack the designated Node (which actuallycontrols the primary controller)– Test/Observe how the supervisor detects abnormal activity andtransfer the control to the secondary controller44

Physical System – DETER Physical components in the Diversified Redundant ICS are eachrepresented by a DETER nodeA DETER node needs: OS (Linux), Network Connection45

DeterLab Process: Experiment Creation NetworkSimulation(NS) Syntax46

Interface Development Representation of a physical primary controller by a DETER nodeEFFECT: Hacking the DETER node (nodeA) inside the DeterLab is thesame as hacking the physical primary controller49

Interface Development Representation of a physical primary controller by nodeA SSH tunneling– We need to go through the portal.– Create a tunnel betweenPrimary Controller & nodeA.– The tunnel will stay openas long as each machine isconnected to each other.– Certain files updated automatically– The update will run every minute.50

Testing the ICS – Hacked Flow Rate53

Diversified Redundant ICS - summary Primary Controller– Connected– Full functionality RedundantController– Isolated– Basic (safe-mode)functionality only Supervisor– Operation-basedcontrol transfer– Unidirectionalconnection Notification sent toEMS Operation-BasedMitigation– maintains normaloperation undercompromisedsituation54

Improvement to Diversified Redundant ICSArchitecture by adding Intrusion DetectionThe Diversified Redundant Architecture hasvulnerabilities Only mitigates against operational anomalies Cannot confirm if a hacker is present(namely, pinging or reconnaissance)Improvement needed: Situational Awareness to detect and confirm thepresence of hacking attemptsApproach: Control Data Bus (Modbus) monitoring andintrusion detection Detection of hacker presence on the control network Detection of known and unknown cyber attacks55

Modbus Data Traffic - Example57

Intrusion Detection An Intrusion Detection System (IDS):– a device or software that monitors a network orsystem for malicious activity.– used as both a reactive and proactive methodto verify if a network has been compromised.Intrusion Detection can be done in two types:– Signature-based– Anomaly-based58

Implementation of Snort Install Snort – Location based on IDSstrategy – “Supervisor” (our case)Create Snort directoriesCreate Snort user and grant privilegesConfigure Snort–––– Design and configure IDS signature rulesDesign and configure IDS anomaly rulesSetup and configure Snort DatabaseConfigure and execute Snort as DaemonScan Snort log and generate email usingPython Supervisor (now RPi) for SnortInstallation59