Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cross-site scripting wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Access control wikipedia , lookup
Distributed firewall wikipedia , lookup
Unix security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Mobile security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Security-focused operating system wikipedia , lookup
Cyberterrorism wikipedia , lookup
Cyberwarfare wikipedia , lookup
Computer security wikipedia , lookup
Mike Burmester Work with W. Owen Redwood and Joshua Lawrence 1. Critical Infrastructures protection Critical infrastructure ecologies, resilience, real vs ideal world simulations b. Protection and control architecture for EG substations c. Vulns of an IEC61850 enabled EG substations, synchronized attacks a. 2. Honeypots a. real-time situational awareness tools b. Cyber-Physical Systems i. ii. SCADA / Critical Infrastructure Vulns & Security & state of Threat Intelligence 3. Symbolic Cyber-Physical Honeynets a. Situational Awareness for SCADA / ICS Human A Physical Cyber (real world adversary) controls all communication channels A (ideal world adversary) controls all communication channels Human Physical Cyber Human Physical Cyber F (protected functionality) Bricks Bricks Ethernet connectivity to SCADA & HMI IEDs I/O via fiber IEDs I/O via fiber Ethernet -- Substation Bus Relay IED Meter Other Substations HMI Remote Operator Internet Ethernet -- Process Bus 5 Merge Unit Merge Unit Control Center Vulnerabilities are indicated by “ “ and involve physical/human/cyber entities. For example: the Remote Operator or their computer may be compromised, the behavior of the Relay or the Merge Unit Brick may be irregular (because of unexpected inputs), etc. Our goal is to: Analyze realtime multi-layer vulnerabilities of EG infrastructures resulting from malicious/unexpected behavior. Analyze cascading EG infrastructure faults. Identify vulnerabilities & exploits of IEC61850 substation automation systems using hardware-in-the-loop realtime testing. Develop a framework that addresses holistic integrity in realtime by enforcing trust policies and controls and by enabling security mechanisms and tools (engines). Maintaining Functionality at Sustained Levels output power sustained functionality level time Backup power Capture: ● ● ● ● ● ● ● ● ● Tool use detection tests (and sometimes fail!) initial intrusion outbound connection initiated ... expand access and obtain credentials strengthening of foothold data exfil attempts to cover tracks diagram from http://en.wikipedia.org/wiki/Advanced_persistent_threat Honeynet - More than one honeypot Low interaction ● simulates a controlled subset of the target’s attack surface o o emulates common services, applications, OSes low risk High interaction ● utilizes real services, apps, OSs (near-real attack surface) o o o commonly have a HMI or GUI high risk capture far more data ● Good, currently-maintained tools for these are RARE ● Exploitation techniques & strategies ● Post-exploitation techniques & strategies, and ● end goals (very hard to observe) computational systems that monitor and control physical entities ● ● ● ● ● control systems sensor-based systems autonomous systems robotic systems etc... Typically a network of: ● ● ● Remote Telemetry Units (RTUs) Programmable Logic Controllers (PLCs) Intelligent Electronic Devices (IEDs) (may be a MAC-layer “station bus” network)==> Controlled by: ● ● ● ● Supervisory Control And Data Acquisition (SCADA) system(s) Industrial Control System (ICS) system(s) Process Control System (PCS) system(s) Distributed Control System (DCS) system(s) Are embedded systems, ● ● ● ● Linux VXworks Solaris custom firmware, custom OS... with some specialized additions: ● sensors, actuators, regulators, communication devices, and “control” processing units Standards designed by engineers FOR engineers Access to standards/documentation > $10,000 o restricted access, yet expect everyone to adopt it Descriptions of protocols are open, but closed-source code is common ● Implementations thus differ per vendor o Makes things hell for the control systems vendors Specialized Search engines: ● SHODAN - Sentient Hyper-Optimized Data Access Network o http://www.shodanhq.com/ ● ERIPP - Every Routable IP Project o http://eripp.com/ ● IRAM - Industrial Risk Assessment Map o http://www.scadacs.org/iram.html Project SHINE (early 2014): ● uses SHODAN to detect how many ICS systems are connected to internet EACH DAY: ● 2000-8000 NEW ICS on internet PER DAY ● “forever-day” originated. ● n-days typically never get patched. <==This trivializes the cost of target research. ● Accessible to all levels of threat ● Amplifies the impact / opportunities of all other stages of the attack cycle o Stuxnet-level attacks aren’t possible without research ● Thus the “low-hanging fruit” of attackers can cause significant damage ● vendor backdoors are common ● 1990’s network interface cards, easy to DoS ● very hard to patch / update Hacking: it’s like its 1980’s, once you get inside the network Security designed by Engineers != Security No modern security like: ● Executable Exploit Mitigations: o o o o o o ASLR DEP / N^X / W^X Control Flow Locking GS / Stack cookies (compiler dependent) safe heap allocators (compiler dependent) kernel / file integrity watchdogs GLEG Ltd (Russian Company) sells: ● Agora: since 2006, contains 160+ CPS exploitation modules ● SCADA+: project containing “ALL publicly available SCADA vuln”s in one exploit pack Core Impact sells: ● ExCraft SCADA Pack: 50+ CPS exploitation modules SamuraiSTFU (Security Testing Framework for Utilities) provides: ● collection of web, network, and hardware exploitation tools targeted for utility security teams/security firms. Metasploit provides: ● several exploitation modules as well ● in the nice popular metasploit framework SCADA Vulnerability and Exploit-PoC Repository: http://scadahacker.com/vulndb/ics-vuln-ref-list.html how often do these things even get attacked anyways??? ICS CERT: Surge In Brute-Force Attacks Against Energy Industry (06/2013) http://www.darkreading.com/attacks-breaches/ics-cert-surge-in-brute-force-attacks-ag/240157599 Addressing Cyber Threats to Oil and Gas Suppliers (June 2013) http://www.cfr.org/cybersecurity/addressing-cyber-threats-oil-gas-suppliers/p30977 ● increasing threats, ranging from cyber espionage by foreign intelligence, to attempts to disrupt operations Congressional Report: “Electric Grid Vulnerability: Industry Responses Reveal Security Gaps” (May) http://www.scor.com/en/sgrc/pac/cyber-risks/item/2573.html?lout=sgrc ● Bleak outlook. Cyber threats against CPS are far likelier and riskier than high-altitude EMP detonations From 2014-2015: ● BlackEnergy APT campaign ● SandWorm APT campaign o also used blackenergy malware ● Dragonfly APT campaign o aka Energetic Bear / Crouching Yeti targets IEC 60870 ● …. Each of these has been going on for years and were only discovered in 2014 CISCO CIAG’s SCADA HONEYPOT (2004) DIGITAL BOND’s SCADA Honeynet Project (2010) CONPOT - The Honeynet Project’s ICS Honeypot TREND MICRO’s closedsource honeypot project ROS Honeypot ● We’re good OK at tracking the attacks against cyber… ● What about how cyber attacks against one end of a CPS can affect directly/indirectly other parts of the physical system. upstream downstream The ROS honeypot is the 1st true cyber-physical honeypot ● ● DEFCON 20 experiment providing a high-interaction vulnerable HMI that interfaces with actual robotic hardware running ROS. ● o Thus, is able to capture cyber attacks against the underlying physical system But this solution would not scale for large CPS… ● Too expensive ● Too complicated ● High maintenance Novel features: ● symbolic simulation/analysis of physical part ● emulation of everything else (SCADA / ICS protocols) Provides realistic stimuli to HMI = believable target Allows capture of post-exploitation behavior Organize and highlight attack data in a “cyber-physicalanomaly-centric manner” Why “Symbolic”??? ● The anomaly detection engine analyzes each parameter as a set of symbols. o doesn’t care about the data types voltage, current, temperature, load, status, ... The Interaction Layer The Honeynet Layer eth0 Internet Exposed Interface vmnet0 (virtual bridge to eth0) Infrastructure Modeling Layer vmnet1 host-only mode Simulated cyber-physical systems SCADA HMI Exposed Honeynet HONEYNET FRAMEWORK Honeynet and SCADA HMI Logging The Logging Layer Anomaly Detection vmnet2 Isolated host-only Design Principles: ● All components are modular ● HMI interaction is coupled with the simulated physical model o multiple HMI’s all reflect one overall physical model ● Layers are strictly partitioned Designed to: ● facilitate greater interactivity than existing cyberphysical honeypots, o to entice more sophisticated threat actors ● be easier to expand upon ● present data in a higher order representation. o physics anomalies presented with corresponding network traffic Symbolic data flow model which simulates the physical parts of a cyber-physical system, ● ● Provides realistic stimuli to HMI = believable target Based on Kahn Process Network (KPN) o Many engineering models based on KPN model IML’s data flow model defines a process by a set of signals, actors, and firing rules. References http://www.cs.fsu.edu/~burmeste/pubs.html