security and protection of scada: a bigdata …...security and protection of scada: a bigdata...

Security and Protection of SCADA: A Bigdata Algorithmic

Approach RKShyamasundar

TataInstituteofFundamentalResearchMumbai,India

[email protected]

ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk

Agenda •  Scada-Overview– Attacks,Characteristics

•  LearningfromSTUXNET•  ChallengesofSCADASecurity•  ExistingApproaches•  BigDataApproach– AlgorithmicMethodology–  Scalability

•  Conclusions


Scada(SupervisoryControlAndDataAcquisition):Risks

•  ControlSystems – Nowatahigherriskstocomputerattacksbecausetheirvulnerabilitiesareincreasinglybecomingexposedandavailabletoanever-growingsetofmotivatedandhighly-skilledattacker

•  Miscreantstailortheirattackswiththeaimofdamagingthephysicalsystemsundercontrol

•  EssentiallyaCyberwar


SomeSCADAAttacks

•  March1997:WorcesterAirTrafficCommunicationsAttack

•  January2000:MaroochyShireSewageSpill•  2000and1982:GasPipelinesinRussia(andtheformerSovietUnion)

LeadingtoCyberWarsACMSIN2013,Aksaray,Turkey,Plenary

InvitedTalk

CyberWar•  CyberwarfarehasbeendefinedbygovernmentsecurityexpertRichardA.

Clarke,inhisbookCyberWar(May2010),as"actionsbyanation-statetopenetrateanothernation'scomputersornetworksforthepurposesofcausingdamageordisruption

•  All“big”nationsarecurrentlypreparingforCyberWar–  CyberDefenseCentersestablishedinallthesenationswithintheirmilitary

structure&NATO–  CyberDefenseCentreofExcellenceinEstonia–  CyberDefensepartofnewNATOStrategy(Article5excluded)–  Militaryandgovernmentnetworksarecurrentlybeinghardenedagainst

attacks–  Allnationsand,toandunbelievablelargescale,Chinaaretrainingoffensive

cyberwarpersonnelandarepreparingforoffensiveandefensivecyberwar•  InformationSuperiority:thecapabilitytocollect,process,and

disseminateanuninterruptedflowofinformationwhileexploitingordenyinganadversary'sabilitytodothesame(USArmyVision2010)


SomeCyberWars•  TitanRainwastheU.S.government'sdesignationgiventoaseriesof

coordinatedattacksonAmericancomputersystemssince2003•  Estonia2007CyberattacksonEstoniareferstoaseriesofcyberattacks

thatbeganApril27,2007andswampedwebsitesofEstonianorganizations,includingEstonianparliament,banks,ministries,newspapersandbroadcasters

•  IsraelattackonSyriaDuringthenight,anIsraelitransporthelicopterenteredSyrianairspaceanddroppedateamofShaldagUnitcommandosintothearea.Thecommandostookuppositionsclosetothenuclearsite.IsraeliAirForceF-15IRa'amfighterjetsarmedwithlaser-guidedbombs,escortedbyF-16ISufafighterjetsandanELINTaircraft,tookofffromHatzerimAirbase.TheELINTaircraftsuccessfullyobscuredtheattackingaircraftfromdetectionbySyrianradars.

CyberTerrorismvsCyberCrimevsCyberwar


STUXNET•  StuxnetisaWindowscomputerwormdiscoveredinJuly2010thattargetsindustrialsoftwareandequipment

•  itisthefirstdiscoveredmalwarethatspiesonandsubvertsindustrialsystems

•  KasperskyLabsconcludedthatthesophisticatedattackcouldonlyhavebeenconducted"withnation-statesupport”

•  StuxnetattackedWindowssystemsusinganunprecedentedfourzero-dayattacks(plustheCPLINKvulnerabilityandavulnerabilityusedbytheConfickerworm)


Stuxnet•  Astonishedbythecomplexityof

theprogramandthequantityofzerodayexploitsusedinthisworm.–  Zerodayexploitsarethose

thathavenoworkaroundorpatch.

•  AnotheruniqueaspectofStuxnetisthatitcontainedcomponentsthatweredigitallysignedwithstolencertificates.

•  arootkitwasfoundfortheprogrammablelogiccontroller(PLC)whichallowsthemanipulationofsensitiveequipment.

•  Expectedtohavebeencreatedbyateamofasmanyas30individuals.–STATESUPPORT

•  indicatesaleveloforganizationandfundingthatprobablyhasnotbeenseenbefore

•  WhatwasStuxnetdesignedtodo?–  Whilethereisnodirectevidence,

thecodesuggeststhatStuxnetlooksforasetupthatisusedinprocessingfacilitiesthathandleuraniumusedinnucleardevices

–  Thustheultimategoalistosabotagethatfacilitybyreprogrammingtocontrollerstooperate


Whatshouldbethestrategytodealwiththesekindsofattacks?

•  ShoulditgoalongthelinesofITsecurity?•  HowaboutDefense-in-depthmechanismsanalogoustoanomalydetection?

•  Whataboutfalse-alarmsinanomalydetection?

•  ShouldthefocusbeonPhysicalsystemsratherthansoftware/networkmodels?


ControlSystemsSecurity

•  Controlsystemsarenotsuitableforpatchingandfrequentupdates

•  WhilecurrenttoolsfromInformationsecuritycangivenecessarymechanismsforsecuringcontrolsystems,thesealonearenotsufficientfordefense-in-depthofcontrolsystems

•  Whenattackersbypassevenbasicdefensestheymaysucceedindamagingthephysicalworld


SecurityFeature ITSystems SCADA

Antivirus and Mobile Code

Very common; deployed and updated easily

By Design not open for software updates.

Patch Management Automated remote patch management possible. However, one needs care from malware perspective

Not designed for it. May impact Performance and also security

Cyber Security Testing & Audit Methods

Standard methods like Metasploit framework can be used

Testing has to be tuned for an online system. May impact plant operation.

Change Management (CM)

Classicalapproachfeasible Strategic scheduling; non trivial process, Impact Analysis is important

Security Issues(1) IT Systems Vs Control Systems (SCADA)


SecurityFeature ITSystems SCADA

IncidenceResponse&Forensics

Wellestablishedprocedure

Difficulttocaptureaseventlogsposeproblemsduetoconstraintslikememoryetc.

PhysicalSecurity Normallypoor Normallyexcellent

Secure System Development

Normal Practice for security sensitive IT applications

Need of the hour for in-house and outsourced development

Security Compliance

Lifetime 2-3 years Lifetime5-20years

Security Issues(2) IT Systems Vs Control Systems (SCADA)


ConsequencesofanAttack

RiskAssessment– WhilestudiesexistoncybersecurityofSCADAthereareveryfewstudiestoidentifyattackstrategyofanadversaryonceitgainsaccess(existingstudiespertaintodatainjectionforpowergrids,electricitymarketsetc.)

– Needtounderstandthreatmodeltodesignappropriatedefensesandtakemeasurestosecurethemostcriticalsensorsandactuators


NewAttackdetectionPatterns

•  DynamicsystemmodelsforspecifyingIntrusiondetectionSystems– Currentstudiespertainfalsedatainjectionattacksincontrolsystems


NewAttackdetectionPatterns

•  DynamicsystemmodelsforspecifyingIntrusiondetectionSystems– Currentstudiespertainfalsedatainjectionattacksincontrolsystems

•  ReplayandStealthAttacks


AttackResilientAlgorithmsandArchitectures

•  Designtowithstandcyberassault

•  Reconfigureandadaptcontrolsystemswhenunderattack


ControlSystemsSecurity:Summary

•  Understandtheconsequencesofattacks– Doathoroughriskanalysis

•  FindAttackpatterns– Designdetections

•  Designnewattack-resilientalgorithmsandarchitectures

•  AutomaticresponsemeasuresMultiDisciplinary:ControlEngineers+CS+DomainofApplication…

ACMSIN2013,Aksaray,Turkey,Plenary

InvitedTalk

RiskManagement

•  Processofshiftingtheoddsinyourfavorbyfindingamongallpossiblealternatives,theonethatminimizestheimpactofuncertainevents

•  ProcessControlSystemsusuallywillhaveanetworkofsensors– Examplesofimpactofattackonsensornetworkontheprocesscontrolsystem


Vulnerabilities Due to Embedded IT Systems

•  NeedtokeepinmindtheeconomicconstraintsonthecostofSCADA(forinstance,insmartgridsitisimportantkeepthecostofthemetersviableforthesociety).

•  Theknowledgeoftheunderlyingsystemsisalmostfreelyavailable.

•  AsanalyzingBigdatahasbecomemanageableprivacyintrusionshavebecomecommonwhichinturnhasledtoseveralsecurityproblems.


SCADA Domain Vulnerabilities •  SCADADesign:–  stability,safetyofplant&env.,+performance– Notdesignedforintruders/attackers–  InthecontextofInternetintruderscaninduceattacksthatwouldnothavebeenconsideredbythedesigner

–  Thus,themajorchallengeforSCADAsecurityliesinarrivingatmethodsofcontroloftheplantthatshallovercomesuchplausibleattacksandmaintainthestabilityandthetrustworthinessofthesystem–thus,makingthesystemrobust.

ACMSIN2013,Aksaray,Turkey,Plenary

InvitedTalk

Approaches for securing SCADA


IntrusionDetection

•  Misusedetection–  Basedonsignaturesofknownattacks

•  Anomalydetection–  Basedonlearningprofilesofnormalbehaviour

•  Coulddetectunknownattacksbutsuffersfromhighfalsealarmrates

•  Specification-basedDetection– Manuallydevelopingspecificationoflegitimatebehaviourandhencehaslessfalsealarmrates

–  Butabilitytodetectnewattacksisalsoless.


ProcessAwareIntrusion


MirageTheoryforDeception-BasedDetection

•  MilitaryDeception(MILDEC):thoseactionsexecutedtodeliberatelymisleadadversarydecisionmakersastofriendlymilitarycapabilities,intentions,andoperations,therebycausingtheadversarytotakespecificactionsorinactionsthatwillcontributetotheaccomplishmentofthefriendlymission.

•  ReliesonDISPLAYs:simulation,disguising,and/orportrayaloffriendlyobjects,units,orcapabilitiesthatmaynotexistbutaremadetoappearso.

•  Eg.(physicalmeans):dummyanddecoyequipmentanddevices,tacticalactions,movementofmilitaryforces,etc.

•  Eg(technicalmeans)includeemissionofchemicalorbiologicalodors,emissionofradiation,reflectionofenergy,computers,etc.,

•  Eg(administrativemeans)techniquestoconveyordenyphysicalevidence.


MirageTheoryApplications:Ideas•  Basis:leverageoftheboundarybetweencontinuousanddiscretespaces,

leverageofhowthepresenceofacontinuousspaceisredirectedonacorrespondingdiscretespace,andsimulationoremulationofphysicalprocessesandphysicalequipment.

•  Acomputernetworkattackprovidesanadversarywithaccessthatmayextendtoawholediscretespace.

•  Nevertheless,duetophysicallimitstherearenofeasiblewaysforanadversarytogainvisibilityoveracontinuousspacethroughacomputernetworkattack.

•  Inotherwords,acomputernetworkattackwon'tenableanadversarytovirtuallymovebeyondtheanalog-to-digitalanddigital-to-analogconversionintegratedcircuits.

•  Consequentlyanadversarycannotverifywhetherinputelectricalsignalsareindeedappliedbyexistingsensingdevices,norcanhe/sheverifywhetheroutputelectricalsignalsindeedreachanexistingactuatingdevice.


Securing SCADA

•  MakethesystemsecurewithrespecttoIT.ThiscouldbedonethroughtheclassicalhardeningapproachesdevelopedforITsecurityalongwithappropriateauthenticationandencryptionasrequired.

•  Ensurethatthesystemalsoworksinthesafezoneasprojectedbythecontrolsystem/plantdesigners.


Monitoring Control Systems •  Mostoftheapproachesmaybeclassifiedunder:–  Developingmodelsfromfirstprinciplesusingthelawsofphysics,

–  Empiricalbehaviorusingsimulationtools,and–  Ahybridoftheabove

•  Whilesafetycriticalsystemsdemandaccuratemodels,itisnotalwaysfeasibleduetotheunderlyingcomplexityandeconomics.

•  Usually,thebehaviouralmodelisconstructedintheindustryusingseveraltoolslikeidentificationpackagesthatenablethedevelopmentofphysicalsystemsusingtrainingdata.


Fault Detection and Diagnosis

Problems•  Generationofresidualsthat

areclosetozerounderno-faultcondition,minimallysensitivetonoisesanddisturbances,andmaximallysensitivetofaults

•  Evaluationofresidualscorrespondstodecisionruleswithrespecttothehandlingofresiduals.

DerivingStatisticsinData•  Assesslevelofsignificance

ofdiscrepancieswithrespecttouncertainties&reflectastowhethertheparameterperturbationissignificantornot.

•  Parameterestimationprovidesuswithrelativesizesofestimationerrorswithrespecttonoisesonthesystemmeasurements.


Solving Detection Problems •  Modelvalidation:Givenareferencepointoftheparameter

andanewdatasample,theproblemistodecidewhetherthenewdataarestillwelldescribedbythisparametervalueornotandcouldbedonebyaslidingwindowoffixedsize.

•  On-lineChangedetection:Givenadatasampleandaninstantt,theproblemistodecidewhethertheparameterhasdeviatedfromthegivenreferencepointandifsoclassifyintotherequiredcategories.

•  Off-lineChangedetection:GivenadatasampleconsistingofNsamples,theproblemistodecidewhetheratsomeinstant,t,thegivenparameterhasdriftedtosomeothervaluethatneedsattention.


SomeToolsused•  InstanceControlCharts:Controlchartsessentiallypresentagraphicdisplayofprocessstabilityorinstabilityovertime.

•  Acontrolchartisastatisticaltool:todistinguishbetweenvariationinaprocessresultingfromcommoncauses&variationduetospecialcauses.

•  Thecontrolchartdifferentiatesbetweentwotypesofvariation:–  SpecialCauseVariation:variationsduetocauseswhicharenotnormallypresent

–  CommonCauseVariation:aretheresultofnumerousever-presentdifferencesintheprocess.


Monitoring and Protecting SCADA

a.  Malwareattacksofthecomputingelements–  tobehandledprimarily

fromtheITdefenseperspective.

b.  Newpossibleattacksontheplantarisingfromthemalwareattackonitscontrolsystem.–  IsitpossibletohandlesothatSCADAwillalwaysbeintheSAFETYZoneandalsobeindicativeofapossibleattack

Plant

Networkof

sensors

DistControl


Challenge: New Scenario of Attacks

•  SensorMeasurement:Y(k)={y1(k),...,yp(k)},–  yi(k)denotesmeasuresby

sensoriattimek.–  ∀k,yi(k)∈[ymin,ymax]in

theDOM(Y)•  Eachsensorhasaunique

Cryptoidentitykey•  Zi(k)ssignalsrecd.by

processcontroller(Valindomain–elsegetsdet.).–  Zi(k)=aikifinattackslot

=yikotherwise

•  IntegrityCheck:Ifattackershavecompromisedasensortheycaninjectanyvalueaik–anarbitraryvalueinthedomain•  ReplayandStealthAttacks•  DOSAttack

–  Noticeslackofmeasurements–  Asolutionistousethelast

value


SCADA Design : Change Detection Basis for Safety

•  Hypothesis:–  Wehavethestatisticsofitsgoodperformancerecordedovertimetoclassifyasnormaloperationandpossibleabnormalbehavior.

–  Notethatitmustbekeptinmindthatthecontrolsystemisacontinuoussystemratherthanadiscreteone.

•  Underabnormaloperations,assume–  plantwillbeoperatedundersafeparameters–  declaringitasanalarmingzoneforfurtheraction.

•  Inotherwords,inthedataofthed-dimensionalspace,withrespecttoareferencepointofoperation,–  wehaveasetofvectorsthatreflectspossiblevariationsthatwouldstillkeepthesysteminastable/safestate;fallingoutsidewouldmeanpossibleunsafeoperation


Question

•  Assumingwehavecapturedthebehaviourofthesystem,isitpossibletodesignacontrolsystemsuchthat:

•  Itfollowsthecontrollawdesignand•  DetectBlackSwanevents–largeimpact,hardtopredict,rareevents–difficulttopredictlyingbeyondtherealmofnormalexpectations,and

•  Guaranteesthatitwillalwaysoperateinasafedomain,soundingalarmwheneveritfindsthebehaviourisnotasexpectedaroundthereferenceanchorpoints


Challenge and Solution

•  Liesinprovidingascalablesolution

•  SolutionBasis:– Reducingtheproblemtoproblemofmonitoringadistributedsetofstreamsthroughqueries


What is the intuition?

Series1

Series2Series3

Category1Category2

Category3Category4

0

1

2

3

4

5

Series1

Series2

Series3


AnomalyDetectingController


Safety of the System •  U(t):plantinputatt&X’(t):outputofplant&X(t):denotethe

samemeasuredthroughthesensorsattimet.•  Now,theinputU(t+1)attimet+1,isdeterminedbythe

controllerwhichfindswhetherthereisanomalyatthispointusingthepossibleperturbationsassumingastableoperationattimet,withinputU(t)throughtheChange-Detect-Estimator(CDE).

•  if{Y1,…,Ym}isthesetofvectorstakingintoaccountthepossibleperturbationscorrespondingtoinputU(t),outputX’(t)asdetectedbythesensors.–  NotethatY1,…,Ymessentiallydenotepossibleperturbationswith

respecttoinputandoutputoftheplantasreflectedinits’behaviour.•  ThenX(t)willbesaidtobesafeifX(t)isintheconvexhullof

{Y1,…,Yn}.


Question

•  Canwecomputeconvexhullinascalablemanner?

•  Yes•  IzchakSharmanandAssafSchuster,AGeometricApproachtoMonitoringThresholdFunctionsoverDistributedStreams,ACMTODS,Vol32,Nov.2007,pp.23:1-23:29.


Geometric Method


Cover of Convex Hull


Monochromatic Region

•  Monochromatic Region: For all x in region, f(x)is on the same side of the threshold (f(x) >τ or f(x) ≤τ )

•  Each site independently checks its sphere is monochromatic –  Find max and min for f()in

local sphere region (may be costly)

•  Send updated value of vi if not monochrome


Restoring monotonicity


Overcoming Replay Attack •  Replayattack:–  Attackerrecordsasequenceofsensormeasurementsandreplaysthesameatalaterpointoftimewhichcouldcausehavoctothesystemlateron.

–  AlsooneoftheattacksusedbyStuxnet.

•  SupposetheattackisatTcorrespondingtovaluesreadatt,T>t

•  ItwillbeallowedonlyifthereferencevectoratTiswithintheknownlimitsofthatatt.

•  Hencesafe


Overcoming Stealth Attacks Safe•  Surgeattack:here,theattackerwantstomaximizethedamageassoonaspossible.

•  Biasattack:Inthiscase,theattackerwantstoattackoveraperiodoftimethroughincrementalperturbations.

•  Geometricattack:heretheadversarywantstodriftslowlyinthebeginningandfinallymaximizethedamage.

•  Falsepositives--Couldbeminimizedbasedonsampling


Conclusions

•  ExtremelyusefulinDetectingBlackSwanEvents•  Scalableandovercomesfalsepositives•  InductiveLearning/MachineLearning


Conclusions

•  Tunableforgeneralizationslike– Sameanalysisofcorrectnessholdswhenspheresareallowedtobeellipsoids– Differentreferencevectorsàtoincreaseradiuswhenclosetothresholdvalues– Combiningtheseobservationsallowsadditionalcostsavings– Moregeneraltheoryof“SafeZones”--Convexsubsetsoftheadmissibleregion


Conclusions •  ApproachinconjunctionwithITsecurityprovidesasafeoperation.

•  AsmostSCADAvendorsdonotdivulgedetailstheapproachispromising.

•  ApplicableforvarietiesofSCADAdeploymentsincludingpowergrids,smartgridsetc.(notethatthedataisquitequiteoftenverysensitive)

•  Experimentalworkinprogress.


The Distinguished Speakers Program is made possible by

For additional information, please visit http://dsp.acm.org/ ACMSIN2013,Aksaray,Turkey,Plenary

InvitedTalk

AboutACM

ACM, the Association for Computing Machinery is the world’s largest educational and scientific computing society, uniting educators, researchers and

professionals to inspire dialogue, share resources and address the field’s challenges.

ACM strengthens the computing profession’s collective voice through strong leadership, promotion of the highest standards, and recognition of technical

excellence.

ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional

networking. ��

With over 100,000 members from over 100 countries, ACM works to advance computing as a science and a profession. www.acm.org


security and protection of scada: a bigdata …...security and protection of scada: a bigdata...

Documents