Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

A Tale of Two Industroyers: It was the Season of Darkness

In this paper, we study two pieces of malware that attempted to create blackouts in Ukraine. In particular, we design and develop a new sandbox that emulates different networks, devices, and other characteristics so that we can execute malware targeting substation equipment and understand in detail the specific sequence of actions the attackers could perform on substation equipment. We also study the effects that future similar malware can have. Our findings include new malware behavior not previously documented (such as the detailed algorithm for the MMS protocol payload) and an illustration of how attacking different targets will produce different effects

Applying cybersecurity for IEC 60870-5-104 communication between control station and substation

IEC 60870-5-104 is a communication protocol used in telecontrol of electric power systems. Despite the critical nature of electric power systems IEC 60870-5-104 itself does not implement security measures such as encryption and authentication making it vulnerable for cybersecurity threats such as eavesdropping and spoofing. The intention of this thesis is to investigate three techniques to provide security for IEC 60870-5-104 communication in different layers of networking and data communication. The investigated techniques are IEC 62351-3 standard providing TLS protection for IEC 60870-5-104, IPsec VPN tunnel, and an application layer authentication mechanism for IEC 60870-5-104 defined by IEC 62351-5 standard. Investigations were based on literature review and empiric testing. Literature review focused on standards and definitions defining the protection mechanisms and IEC 60870-5-104 with the support of field specific literature. Also researches regarding attack simulations against IEC 60870-5-104 were studied. In the empiric investigations all protection mechanisms were tested and demonstrated using a SCADA server running on a virtual machine and a physical RTU. Wireshark packet analyzer was used for analyzing traffic when IEC 60870-5-104 communication was protected using the investigated techniques. An understanding was formed how IEC 60870-5-104 can be protected on different layers of networking and data communication using the investigated protection techniques. Each technique acts independently from each other enabling protection of IEC 60870-5-104 communication in multiple layers. Solutions to be used for protecting IEC 60870-5-104 depends on the protection requirements, network architectural restrictions, and support of the used equipment. Important aspects regarding protection of transferred data is to provide end-to-end protection between endpoints and to isolate access to sensitive control system endpoints from untrusted networks directly or indirectly. TLS provides protection for transferred application data but does not provide network level isolation of endpoint hosts. Therefore, the most suitable use case for TLS would be to protect IEC 60870-5-104 communication in a trusted network. The advantage of an IPsec tunnel is the isolation of endpoint networks and data exchanged between them making it most suitable for protecting T104 communication in untrusted networks. IEC 62351-5 is not a networking technique but a set of functionalities added in the application layer of IEC 60870-5-104. As IEC 62351-5 is implemented in the application layer it can provide security measures which cannot be achieved by the protection techniques affecting in the lower layers. The most important security measure that IEC 62351-5 adds is linking and authenticating application layer users between a controlling station and a controlled station which provides security for application processes.IEC 60870-5-104 on sähkönjakelujärjestelmien kaukokäytössä käytetty kommunikaatioprotokolla, joka ei itsessään toteuta tietoturvamekanismeja kuten salausta tai autentikaatiota. Tämä tekee siitä haavoittuvan erinäisille tietoturvauhkille, esimerkiksi salaamattoman kommunikaation sisältöä voidaan salakuunnella ja viestien alkuperä väärentää. Tämän diplomityön tarkoituksena on tutkia kolmea tekniikkaa IEC 60870-5-104 -kommunikaation tietoturvan parantamiseksi, joista kukin vaikuttaa tiedonsiirron eri kerroksissa. Tarkastellut menetelmät ovat IEC 62351-3 -standardin tarjoama TLS-suojaus IEC 60870-5-104 -protokollalle, IPsec VPN -tunnelointi sekä IEC 62351-5 -standardin määrittelemä autentikaatiomekanismi IEC 60870-5-104 -protokollalle. Tutkimusmenelminä käytettiin kirjallisuuskatsausta sekä empiiristä tutkimusta. Kirjallisuuskatsauksessa perehdyttiin tietoturvatekniikoita ja IEC 60870-5-104 -protokollaa määritteleviin standardeihin sekä käytettiin tukena alan kirjallisuutta. IEC 60870-5-104 -protokollan tietoturvaan perehdyttiin hyökkäyssimulaatioita käsittelevien tutkimusten kautta. Empiirisissä tutkimuksissa jokaista tietoturvatekniikkaa testattiin ja demonstroitiin virtuaalialustalla pyörivän SCADA-palvelimen ja fyysisen RTU-laitteen muodostamassa testiympäristössä. Wireshark-pakettianalysaattoria käytettiin laitteiden välisen IEC 60870-5-104 -kommunikaation suojauksen analysointiin. Diplomityön tuloksena saavutettiin käsitys siitä, miten tutkituilla suojaustekniikoilla voidaan suojata IEC 60870-5-104 -kommunikaatiota tiedonsiirron eri kerroksissa. Kukin tekniikka on toisistaan riippumaton, mikä mahdollistaa IEC 60870-5-104 -kommunikaation suojauksen usealla eri tiedonsiirron tasolla. Kommunikaation suojaukseen käytetyn tekniikan valinta riippuu suojauksen vaatimuksista, verkkoarkkitehtuurisista rajoitteista sekä laitteiston tukemista tekniikoista. Tärkeä näkökulma koskien siirrettävän tiedon suojausta on suojauksen toteuttaminen koko matkalta lähettäjältä ja vastaanottajalle. Lisäksi kriittisiin ohjausjärjestelmiin ei tulisi olla suoraa tai epäsuoraa yhteyttä epäluotettavista verkoista. TLS tarjoaa applikaatiodatan suojausta, mutta ei luo suojaavaa verkkokerrosta kommunikoiville laitteille. Siten TLS soveltuu parhaiten IEC 60870-5-104 -kommunikaation suojaamiseen luotetuissa verkoissa. IPsec-tunnelointi puolestaan luo suojaavan verkkokerroksen kahdelle yhdistettävälle sisäverkolle ja niiden väliselle tiedonsiirrolle yhdistävän verkon näkökulmasta soveltuen tiedonsiirron suojaukseen avoimissa verkoissa. IEC 62351-5 -standardin implementaatio ei ole tiedonsiirtotekniikka vaan applikaatiotason tietoturvaa parantava toiminnallisuus, jolla voidaan linkittää ja autentikoida valvomo- ja ala-asemalaitteiden välisiä käyttäjiä, mitä ei voida toteuttaa matalammilla tiedonsiirtokerroksilla

CREATING SYNTHETIC ATTACKS WITH EVOLUTIONARY ALGORITHMS FOR INDUSTRIAL-CONTROL-SYSTEM SECURITY TESTING

Cybersecurity defenders can use honeypots (decoy systems) to capture and study adversarial activities. An issue with honeypots is obtaining enough data on rare attacks. To improve data collection, we created a tool that uses machine learning to generate plausible artificial attacks on two protocols, Hypertext Transfer Protocol (HTTP) and IEC 60870-5-104 (“IEC 104” for short, an industrial-control-system protocol). It uses evolutionary algorithms to create new variants of two cyberattacks: Log4j exploits (described in CVE-2021-44228 as severely critical) and the Industroyer2 malware (allegedly used in Russian attacks on Ukrainian power grids). Our synthetic attack generator (SAGO) effectively created synthetic attacks at success rates up to 70 and 40 percent for Log4j and IEC 104, respectively. We tested over 5,200 unique variations of Log4j exploits and 256 unique variations of the approach used by Industroyer2. Based on a power-grid honeypot’s response to these attacks, we identified changes to improve interactivity, which should entice intruders to mount more revealing attacks and aid defenders in hardening against new attack variants. This work provides a technique to proactively identify cybersecurity weaknesses in critical infrastructure and Department of Defense assets.Captain, United States Marine CorpsApproved for public release. Distribution is unlimited

Cybersecurity analysis of a SCADA system under current standards, client requisites, and penetration testing

Supervisory Control and Data Acquisition (SCADA) systems are essential for monitoring and controlling a country's Critical Infrastructures (CI) such as electrical power grids, gas, water supply, and transportation services. These systems used to be mostly isolated and secure, but this is no longer true due to the use of wider and interconnected communication networks to reap benefits such as scalability, reliability, usability, and integration. This architectural change together with the critical importance of these systems made them desirable cyber-attack targets. Just as in other Information Technology (IT) systems, standards and best practices have been developed to provide guidance for SCADA developers to increase the security of their systems against cyber-attacks.With the assistance of EFACEC, this work provides an analysis of a SCADA system under current standards, client requisites, and testing of vulnerabilities in an actual prototype system. Our aim is to provide guidance by example on how to evaluate and improve the security of SCADA systems, using a basic prototype of EFACEC's ScateX# SCADA system, following both a theoretical and practical approach. For the theoretical approach, a list of the most commonly adopted ICS (Industrial Control Systems) and IT standards is compiled, and then sets of a generic client's cybersecurity requisites are analyzed and confronted with the prototype's specifications. A study of the system's architecture is also performed to identify vulnerabilities and non-compliances with both the client's requisites and the standards and, for the identified vulnerabilities, corrective and mitigation measures are suggested. For the practical approach, a threat model was developed to help identify desirable assets on SCADA systems and possible attack vectors that could allow access to such assets. Penetration tests were performed on the prototype in order to validate the attack vectors, to evaluate compliance, and to provide evidence of the effectiveness of the corrective measures

Towards Understanding Man-on-the-Side Attacks (MotS) in SCADA Networks

We describe a new class of packet injection attacks called Man-on-the-Side Attacks (MotS), previously only seen where state actors have "compromised" a number of telecommunication companies. MotS injection attacks have not been widely investigated in scientific literature, despite having been discussed by news outlets and security blogs. MotS came to attention after the Edward Snowden revelations, which described large scale pervasive monitoring of the Internet's infrastructure. For an advanced adversary attempting to interfere with IT connected systems, the next logical step is to adapt this class of attack to a smaller scale, such as enterprise or critical infrastructure networks. MotS is a weaker form of attack compared to a Man-in-the-Middle (MitM). A MotS attack allows an adversary to read and inject packets, but not modify packets sent by other hosts. This paper presents practical experiments where we have implemented and performed MotS attacks against two testbeds: 1) on HTTP connections, by redirecting a victim to a host controlled by an adversary; and 2) on an Industrial Control network, where we inject falsified command responses to the victim. In both cases, the victims accept the injected packets without generating a suspiciously large number of unusual packets on the network. We then perform an analysis of three leading Network IDS to determine whether the attacks are detected, and discuss mitigation methods

A Cyber-Physical System for integrated remote control andprotection of smart grid critical infrastructures

This work proposes a Cyber-Physical System (CPS) for protecting Smart Electric Grid Critical Infrastructures (CI) using video surveillance while remotely monitoring them. Due to the critical nature of Smart Grid, it is necessary to guarantee an adequate level of safety, security and reliability. Thus, this CPS is back-boned by a Time-Sensitive Network solution (TSN) providing concurrent support for smart-video surveillance and Smart Grid control over a single communication infrastructure. To this end, TSN delivers high-bandwidth communication for video surveil-lance and deterministic Quality of Service (QoS), latency and bandwidth guarantees, required by the time-critical Smart Grid control. On the one hand, the CPS utilizes High-availability Seamless Redundancy (HSR) in the control subsystem via Remote Terminal Units (RTU) guaranteeing seamless failover against failures in Smart Grid. On the other hand, the smart video surveillance subsystem applies machine learning to monitor secured perimeters and detect people around the Smart Grid CI. Moreover, it is also able to directly interoperate with RTUs via MODBUS protocol to send alarms in case of e.g. intrusion. The work evaluates the accuracy and performance of the detection using common metrics in surveillance field. An integrated monitoring dashboard has also been developed in which all CPS information is available in real timeThis work was partially supported by the EU Project FitOptiVis [3] through the ECSEL Joint Undertaking under GA n. 783162, a Spanish National grant funded by MINECO through APCIN PCI2018-093184, and partially by the Research Network RED2018-102511-