security and protection of scada: a bigdata …...security and protection of scada: a bigdata...
TRANSCRIPT
Security and Protection of SCADA: A Bigdata Algorithmic
Approach RKShyamasundar
TataInstituteofFundamentalResearchMumbai,India
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Agenda • Scada-Overview– Attacks,Characteristics
• LearningfromSTUXNET• ChallengesofSCADASecurity• ExistingApproaches• BigDataApproach– AlgorithmicMethodology– Scalability
• Conclusions
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Scada(SupervisoryControlAndDataAcquisition):Risks
• ControlSystems – Nowatahigherriskstocomputerattacksbecausetheirvulnerabilitiesareincreasinglybecomingexposedandavailabletoanever-growingsetofmotivatedandhighly-skilledattacker
• Miscreantstailortheirattackswiththeaimofdamagingthephysicalsystemsundercontrol
• EssentiallyaCyberwar
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
SomeSCADAAttacks
• March1997:WorcesterAirTrafficCommunicationsAttack
• January2000:MaroochyShireSewageSpill• 2000and1982:GasPipelinesinRussia(andtheformerSovietUnion)
LeadingtoCyberWarsACMSIN2013,Aksaray,Turkey,Plenary
InvitedTalk
CyberWar• CyberwarfarehasbeendefinedbygovernmentsecurityexpertRichardA.
Clarke,inhisbookCyberWar(May2010),as"actionsbyanation-statetopenetrateanothernation'scomputersornetworksforthepurposesofcausingdamageordisruption
• All“big”nationsarecurrentlypreparingforCyberWar– CyberDefenseCentersestablishedinallthesenationswithintheirmilitary
structure&NATO– CyberDefenseCentreofExcellenceinEstonia– CyberDefensepartofnewNATOStrategy(Article5excluded)– Militaryandgovernmentnetworksarecurrentlybeinghardenedagainst
attacks– Allnationsand,toandunbelievablelargescale,Chinaaretrainingoffensive
cyberwarpersonnelandarepreparingforoffensiveandefensivecyberwar• InformationSuperiority:thecapabilitytocollect,process,and
disseminateanuninterruptedflowofinformationwhileexploitingordenyinganadversary'sabilitytodothesame(USArmyVision2010)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
SomeCyberWars• TitanRainwastheU.S.government'sdesignationgiventoaseriesof
coordinatedattacksonAmericancomputersystemssince2003• Estonia2007CyberattacksonEstoniareferstoaseriesofcyberattacks
thatbeganApril27,2007andswampedwebsitesofEstonianorganizations,includingEstonianparliament,banks,ministries,newspapersandbroadcasters
• IsraelattackonSyriaDuringthenight,anIsraelitransporthelicopterenteredSyrianairspaceanddroppedateamofShaldagUnitcommandosintothearea.Thecommandostookuppositionsclosetothenuclearsite.IsraeliAirForceF-15IRa'amfighterjetsarmedwithlaser-guidedbombs,escortedbyF-16ISufafighterjetsandanELINTaircraft,tookofffromHatzerimAirbase.TheELINTaircraftsuccessfullyobscuredtheattackingaircraftfromdetectionbySyrianradars.
CyberTerrorismvsCyberCrimevsCyberwar
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
STUXNET• StuxnetisaWindowscomputerwormdiscoveredinJuly2010thattargetsindustrialsoftwareandequipment
• itisthefirstdiscoveredmalwarethatspiesonandsubvertsindustrialsystems
• KasperskyLabsconcludedthatthesophisticatedattackcouldonlyhavebeenconducted"withnation-statesupport”
• StuxnetattackedWindowssystemsusinganunprecedentedfourzero-dayattacks(plustheCPLINKvulnerabilityandavulnerabilityusedbytheConfickerworm)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Stuxnet• Astonishedbythecomplexityof
theprogramandthequantityofzerodayexploitsusedinthisworm.– Zerodayexploitsarethose
thathavenoworkaroundorpatch.
• AnotheruniqueaspectofStuxnetisthatitcontainedcomponentsthatweredigitallysignedwithstolencertificates.
• arootkitwasfoundfortheprogrammablelogiccontroller(PLC)whichallowsthemanipulationofsensitiveequipment.
• Expectedtohavebeencreatedbyateamofasmanyas30individuals.–STATESUPPORT
• indicatesaleveloforganizationandfundingthatprobablyhasnotbeenseenbefore
• WhatwasStuxnetdesignedtodo?– Whilethereisnodirectevidence,
thecodesuggeststhatStuxnetlooksforasetupthatisusedinprocessingfacilitiesthathandleuraniumusedinnucleardevices
– Thustheultimategoalistosabotagethatfacilitybyreprogrammingtocontrollerstooperate
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Whatshouldbethestrategytodealwiththesekindsofattacks?
• ShoulditgoalongthelinesofITsecurity?• HowaboutDefense-in-depthmechanismsanalogoustoanomalydetection?
• Whataboutfalse-alarmsinanomalydetection?
• ShouldthefocusbeonPhysicalsystemsratherthansoftware/networkmodels?
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
ControlSystemsSecurity
• Controlsystemsarenotsuitableforpatchingandfrequentupdates
• WhilecurrenttoolsfromInformationsecuritycangivenecessarymechanismsforsecuringcontrolsystems,thesealonearenotsufficientfordefense-in-depthofcontrolsystems
• Whenattackersbypassevenbasicdefensestheymaysucceedindamagingthephysicalworld
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
SecurityFeature ITSystems SCADA
Antivirus and Mobile Code
Very common; deployed and updated easily
By Design not open for software updates.
Patch Management Automated remote patch management possible. However, one needs care from malware perspective
Not designed for it. May impact Performance and also security
Cyber Security Testing & Audit Methods
Standard methods like Metasploit framework can be used
Testing has to be tuned for an online system. May impact plant operation.
Change Management (CM)
Classicalapproachfeasible Strategic scheduling; non trivial process, Impact Analysis is important
Security Issues(1) IT Systems Vs Control Systems (SCADA)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
SecurityFeature ITSystems SCADA
IncidenceResponse&Forensics
Wellestablishedprocedure
Difficulttocaptureaseventlogsposeproblemsduetoconstraintslikememoryetc.
PhysicalSecurity Normallypoor Normallyexcellent
Secure System Development
Normal Practice for security sensitive IT applications
Need of the hour for in-house and outsourced development
Security Compliance
Lifetime 2-3 years Lifetime5-20years
Security Issues(2) IT Systems Vs Control Systems (SCADA)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
ConsequencesofanAttack
RiskAssessment– WhilestudiesexistoncybersecurityofSCADAthereareveryfewstudiestoidentifyattackstrategyofanadversaryonceitgainsaccess(existingstudiespertaintodatainjectionforpowergrids,electricitymarketsetc.)
– Needtounderstandthreatmodeltodesignappropriatedefensesandtakemeasurestosecurethemostcriticalsensorsandactuators
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
NewAttackdetectionPatterns
• DynamicsystemmodelsforspecifyingIntrusiondetectionSystems– Currentstudiespertainfalsedatainjectionattacksincontrolsystems
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
NewAttackdetectionPatterns
• DynamicsystemmodelsforspecifyingIntrusiondetectionSystems– Currentstudiespertainfalsedatainjectionattacksincontrolsystems
• ReplayandStealthAttacks
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
AttackResilientAlgorithmsandArchitectures
• Designtowithstandcyberassault
• Reconfigureandadaptcontrolsystemswhenunderattack
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
ControlSystemsSecurity:Summary
• Understandtheconsequencesofattacks– Doathoroughriskanalysis
• FindAttackpatterns– Designdetections
• Designnewattack-resilientalgorithmsandarchitectures
• AutomaticresponsemeasuresMultiDisciplinary:ControlEngineers+CS+DomainofApplication…
ACMSIN2013,Aksaray,Turkey,Plenary
InvitedTalk
RiskManagement
• Processofshiftingtheoddsinyourfavorbyfindingamongallpossiblealternatives,theonethatminimizestheimpactofuncertainevents
• ProcessControlSystemsusuallywillhaveanetworkofsensors– Examplesofimpactofattackonsensornetworkontheprocesscontrolsystem
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Vulnerabilities Due to Embedded IT Systems
• NeedtokeepinmindtheeconomicconstraintsonthecostofSCADA(forinstance,insmartgridsitisimportantkeepthecostofthemetersviableforthesociety).
• Theknowledgeoftheunderlyingsystemsisalmostfreelyavailable.
• AsanalyzingBigdatahasbecomemanageableprivacyintrusionshavebecomecommonwhichinturnhasledtoseveralsecurityproblems.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
SCADA Domain Vulnerabilities • SCADADesign:– stability,safetyofplant&env.,+performance– Notdesignedforintruders/attackers– InthecontextofInternetintruderscaninduceattacksthatwouldnothavebeenconsideredbythedesigner
– Thus,themajorchallengeforSCADAsecurityliesinarrivingatmethodsofcontroloftheplantthatshallovercomesuchplausibleattacksandmaintainthestabilityandthetrustworthinessofthesystem–thus,makingthesystemrobust.
ACMSIN2013,Aksaray,Turkey,Plenary
InvitedTalk
Approaches for securing SCADA
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
IntrusionDetection
• Misusedetection– Basedonsignaturesofknownattacks
• Anomalydetection– Basedonlearningprofilesofnormalbehaviour
• Coulddetectunknownattacksbutsuffersfromhighfalsealarmrates
• Specification-basedDetection– Manuallydevelopingspecificationoflegitimatebehaviourandhencehaslessfalsealarmrates
– Butabilitytodetectnewattacksisalsoless.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
ProcessAwareIntrusion
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
MirageTheoryforDeception-BasedDetection
• MilitaryDeception(MILDEC):thoseactionsexecutedtodeliberatelymisleadadversarydecisionmakersastofriendlymilitarycapabilities,intentions,andoperations,therebycausingtheadversarytotakespecificactionsorinactionsthatwillcontributetotheaccomplishmentofthefriendlymission.
• ReliesonDISPLAYs:simulation,disguising,and/orportrayaloffriendlyobjects,units,orcapabilitiesthatmaynotexistbutaremadetoappearso.
• Eg.(physicalmeans):dummyanddecoyequipmentanddevices,tacticalactions,movementofmilitaryforces,etc.
• Eg(technicalmeans)includeemissionofchemicalorbiologicalodors,emissionofradiation,reflectionofenergy,computers,etc.,
• Eg(administrativemeans)techniquestoconveyordenyphysicalevidence.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
MirageTheoryApplications:Ideas• Basis:leverageoftheboundarybetweencontinuousanddiscretespaces,
leverageofhowthepresenceofacontinuousspaceisredirectedonacorrespondingdiscretespace,andsimulationoremulationofphysicalprocessesandphysicalequipment.
• Acomputernetworkattackprovidesanadversarywithaccessthatmayextendtoawholediscretespace.
• Nevertheless,duetophysicallimitstherearenofeasiblewaysforanadversarytogainvisibilityoveracontinuousspacethroughacomputernetworkattack.
• Inotherwords,acomputernetworkattackwon'tenableanadversarytovirtuallymovebeyondtheanalog-to-digitalanddigital-to-analogconversionintegratedcircuits.
• Consequentlyanadversarycannotverifywhetherinputelectricalsignalsareindeedappliedbyexistingsensingdevices,norcanhe/sheverifywhetheroutputelectricalsignalsindeedreachanexistingactuatingdevice.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Securing SCADA
• MakethesystemsecurewithrespecttoIT.ThiscouldbedonethroughtheclassicalhardeningapproachesdevelopedforITsecurityalongwithappropriateauthenticationandencryptionasrequired.
• Ensurethatthesystemalsoworksinthesafezoneasprojectedbythecontrolsystem/plantdesigners.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Monitoring Control Systems • Mostoftheapproachesmaybeclassifiedunder:– Developingmodelsfromfirstprinciplesusingthelawsofphysics,
– Empiricalbehaviorusingsimulationtools,and– Ahybridoftheabove
• Whilesafetycriticalsystemsdemandaccuratemodels,itisnotalwaysfeasibleduetotheunderlyingcomplexityandeconomics.
• Usually,thebehaviouralmodelisconstructedintheindustryusingseveraltoolslikeidentificationpackagesthatenablethedevelopmentofphysicalsystemsusingtrainingdata.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Fault Detection and Diagnosis
Problems• Generationofresidualsthat
areclosetozerounderno-faultcondition,minimallysensitivetonoisesanddisturbances,andmaximallysensitivetofaults
• Evaluationofresidualscorrespondstodecisionruleswithrespecttothehandlingofresiduals.
DerivingStatisticsinData• Assesslevelofsignificance
ofdiscrepancieswithrespecttouncertainties&reflectastowhethertheparameterperturbationissignificantornot.
• Parameterestimationprovidesuswithrelativesizesofestimationerrorswithrespecttonoisesonthesystemmeasurements.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Solving Detection Problems • Modelvalidation:Givenareferencepointoftheparameter
andanewdatasample,theproblemistodecidewhetherthenewdataarestillwelldescribedbythisparametervalueornotandcouldbedonebyaslidingwindowoffixedsize.
• On-lineChangedetection:Givenadatasampleandaninstantt,theproblemistodecidewhethertheparameterhasdeviatedfromthegivenreferencepointandifsoclassifyintotherequiredcategories.
• Off-lineChangedetection:GivenadatasampleconsistingofNsamples,theproblemistodecidewhetheratsomeinstant,t,thegivenparameterhasdriftedtosomeothervaluethatneedsattention.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
SomeToolsused• InstanceControlCharts:Controlchartsessentiallypresentagraphicdisplayofprocessstabilityorinstabilityovertime.
• Acontrolchartisastatisticaltool:todistinguishbetweenvariationinaprocessresultingfromcommoncauses&variationduetospecialcauses.
• Thecontrolchartdifferentiatesbetweentwotypesofvariation:– SpecialCauseVariation:variationsduetocauseswhicharenotnormallypresent
– CommonCauseVariation:aretheresultofnumerousever-presentdifferencesintheprocess.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Monitoring and Protecting SCADA
a. Malwareattacksofthecomputingelements– tobehandledprimarily
fromtheITdefenseperspective.
b. Newpossibleattacksontheplantarisingfromthemalwareattackonitscontrolsystem.– IsitpossibletohandlesothatSCADAwillalwaysbeintheSAFETYZoneandalsobeindicativeofapossibleattack
Plant
Networkof
sensors
DistControl
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Challenge: New Scenario of Attacks
• SensorMeasurement:Y(k)={y1(k),...,yp(k)},– yi(k)denotesmeasuresby
sensoriattimek.– ∀k,yi(k)∈[ymin,ymax]in
theDOM(Y)• Eachsensorhasaunique
Cryptoidentitykey• Zi(k)ssignalsrecd.by
processcontroller(Valindomain–elsegetsdet.).– Zi(k)=aikifinattackslot
=yikotherwise
• IntegrityCheck:Ifattackershavecompromisedasensortheycaninjectanyvalueaik–anarbitraryvalueinthedomain• ReplayandStealthAttacks• DOSAttack
– Noticeslackofmeasurements– Asolutionistousethelast
value
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
SCADA Design : Change Detection Basis for Safety
• Hypothesis:– Wehavethestatisticsofitsgoodperformancerecordedovertimetoclassifyasnormaloperationandpossibleabnormalbehavior.
– Notethatitmustbekeptinmindthatthecontrolsystemisacontinuoussystemratherthanadiscreteone.
• Underabnormaloperations,assume– plantwillbeoperatedundersafeparameters– declaringitasanalarmingzoneforfurtheraction.
• Inotherwords,inthedataofthed-dimensionalspace,withrespecttoareferencepointofoperation,– wehaveasetofvectorsthatreflectspossiblevariationsthatwouldstillkeepthesysteminastable/safestate;fallingoutsidewouldmeanpossibleunsafeoperation
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Question
• Assumingwehavecapturedthebehaviourofthesystem,isitpossibletodesignacontrolsystemsuchthat:
• Itfollowsthecontrollawdesignand• DetectBlackSwanevents–largeimpact,hardtopredict,rareevents–difficulttopredictlyingbeyondtherealmofnormalexpectations,and
• Guaranteesthatitwillalwaysoperateinasafedomain,soundingalarmwheneveritfindsthebehaviourisnotasexpectedaroundthereferenceanchorpoints
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Challenge and Solution
• Liesinprovidingascalablesolution
• SolutionBasis:– Reducingtheproblemtoproblemofmonitoringadistributedsetofstreamsthroughqueries
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
What is the intuition?
Series1
Series2Series3
Category1Category2
Category3Category4
0
1
2
3
4
5
Series1
Series2
Series3
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
AnomalyDetectingController
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Safety of the System • U(t):plantinputatt&X’(t):outputofplant&X(t):denotethe
samemeasuredthroughthesensorsattimet.• Now,theinputU(t+1)attimet+1,isdeterminedbythe
controllerwhichfindswhetherthereisanomalyatthispointusingthepossibleperturbationsassumingastableoperationattimet,withinputU(t)throughtheChange-Detect-Estimator(CDE).
• if{Y1,…,Ym}isthesetofvectorstakingintoaccountthepossibleperturbationscorrespondingtoinputU(t),outputX’(t)asdetectedbythesensors.– NotethatY1,…,Ymessentiallydenotepossibleperturbationswith
respecttoinputandoutputoftheplantasreflectedinits’behaviour.• ThenX(t)willbesaidtobesafeifX(t)isintheconvexhullof
{Y1,…,Yn}.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Question
• Canwecomputeconvexhullinascalablemanner?
• Yes• IzchakSharmanandAssafSchuster,AGeometricApproachtoMonitoringThresholdFunctionsoverDistributedStreams,ACMTODS,Vol32,Nov.2007,pp.23:1-23:29.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Geometric Method
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Cover of Convex Hull
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Monochromatic Region
• Monochromatic Region: For all x in region, f(x)is on the same side of the threshold (f(x) >τ or f(x) ≤τ )
• Each site independently checks its sphere is monochromatic – Find max and min for f()in
local sphere region (may be costly)
• Send updated value of vi if not monochrome
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Restoring monotonicity
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Overcoming Replay Attack • Replayattack:– Attackerrecordsasequenceofsensormeasurementsandreplaysthesameatalaterpointoftimewhichcouldcausehavoctothesystemlateron.
– AlsooneoftheattacksusedbyStuxnet.
• SupposetheattackisatTcorrespondingtovaluesreadatt,T>t
• ItwillbeallowedonlyifthereferencevectoratTiswithintheknownlimitsofthatatt.
• Hencesafe
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Overcoming Stealth Attacks Safe• Surgeattack:here,theattackerwantstomaximizethedamageassoonaspossible.
• Biasattack:Inthiscase,theattackerwantstoattackoveraperiodoftimethroughincrementalperturbations.
• Geometricattack:heretheadversarywantstodriftslowlyinthebeginningandfinallymaximizethedamage.
• Falsepositives--Couldbeminimizedbasedonsampling
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Conclusions
• ExtremelyusefulinDetectingBlackSwanEvents• Scalableandovercomesfalsepositives• InductiveLearning/MachineLearning
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Conclusions
• Tunableforgeneralizationslike– Sameanalysisofcorrectnessholdswhenspheresareallowedtobeellipsoids– Differentreferencevectorsàtoincreaseradiuswhenclosetothresholdvalues– Combiningtheseobservationsallowsadditionalcostsavings– Moregeneraltheoryof“SafeZones”--Convexsubsetsoftheadmissibleregion
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
Conclusions • ApproachinconjunctionwithITsecurityprovidesasafeoperation.
• AsmostSCADAvendorsdonotdivulgedetailstheapproachispromising.
• ApplicableforvarietiesofSCADAdeploymentsincludingpowergrids,smartgridsetc.(notethatthedataisquitequiteoftenverysensitive)
• Experimentalworkinprogress.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
The Distinguished Speakers Program is made possible by
For additional information, please visit http://dsp.acm.org/ ACMSIN2013,Aksaray,Turkey,Plenary
InvitedTalk
AboutACM
ACM, the Association for Computing Machinery is the world’s largest educational and scientific computing society, uniting educators, researchers and
professionals to inspire dialogue, share resources and address the field’s challenges.
ACM strengthens the computing profession’s collective voice through strong leadership, promotion of the highest standards, and recognition of technical
excellence.
ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional
networking. ��
With over 100,000 members from over 100 countries, ACM works to advance computing as a science and a profession. www.acm.org
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk