cpe6510 - security of control systemsweb.mst.edu/~cetinkayae/teaching/cpe6510spring2017/... ·...

© Egemen K. Çetinkaya

Resilient Networks Missouri S&T University CPE 6510

Security of Control Systems

Egemen K. Çetinkaya

Department of Electrical & Computer Engineering

Missouri University of Science and Technology

[email protected]

http://web.mst.edu/~cetinkayae/teaching/CPE6510Spring2017

13 April 2017 rev. 17.0 © 2014–2017 Egemen K. Çetinkaya


Security of Control Systems Outline

• Overview

• Control networks

• Control network security

MST CPE 6510 – Security of Control Systems 13 April 2017 2


Security of Control Systems Overview

• Overview





Control Systems Definition

• Control system function

– control

• process, procedure

– monitor

• alarms, events

– recording

• trend, production

• Process – sequence of chemical, physical, or biological activities

– for conversion, transport, or storage

– of material or energy

13 April 2017 MST CPE 6510 – Security of Control Systems 4

[E2005]


Critical Infrastructures Sectors

• Chemical

• Commercial facilities

• Communications

• Critical manufacturing

• Dams

• Defense industrial base

• Emergency services

• Energy


• Financial services

• Food and agriculture

• Government facilities

• Healthcare and public health

• Information technology

• Nuclear

• Transportation systems

• Water and wastewater systems

[DHS]


Control Systems Block Diagram

• Basic elements ?


___ ___ ___

___

___ ___


Control Systems Block Diagram

• Basic elements


controller actuator process

sensor

input output


Control Systems Step Response

• Step response to


2

1

2 10s s

desired amplitude

rise time settling time

peak time

overshoot ss error steady-state

amplitude error band


Step Function MATLAB Code

M = 1; % units of kg

K = 10; % units of N/m

B = 2; % units of N-s/m

num = 1;

den = [M B K];

sys = tf(num,den)

step(sys);


[http://ctms.engin.umich.edu/CTMS/index.php?aux=Extras_step]


Control Systems Types

• Process types – continuous: continuous flow of materials – batch: finite quantities of material – discrete parts: finite quantities of parts

• Control system technologies – SCADA: supervisory control and data acquisition – DCS: distributed control system

• evolved from the needs of continuous process

– PLC: programmable logic controller • evolved from the needs of batch and discrete manufacturing

– PAC: programmable automation controller • combines DCS & PLC, uses C/C++ rather than ladder logic

– others: relays, computers


[E2005]


Control Systems SCADA

• Controls dispersed assets

• Centralized data acquisition is as important

• SCADA components

– SCADA Server or Master Terminal Unit (MTU)

– Remote Terminal Unit (RTU)

• data acquisition and control unit to support remote stations

– Human Machine Interface (HMI)

• provides centralized monitoring and control system

– communication routers and links



Control Systems SCADA Architecture for Offshore Oil Platforms


[M2005]


Control Systems Distributed Control Systems

• Control systems within the same geographic location

• A DCS uses a centralized supervisory control loop

– to mediate a group of localized controllers

– that share carrying out task of an entire production process

• Distributed controllers control their process actuators

– based on control server commands and sensor feedback

– examples of controllers:

• PLC, process controller, machine controller

• DCS is interfaced with the corporate network



Control Systems PLC

• Initially developed for automotive industry – late 1960s

• PLC architecture – CPU – memory – power – communication interface – I/O modules

• Generally utilizes ladder logic – textual PLC programming languages

• structured text language; high-level language • instruction list language; similar to assembly


[E2005]


PLC Laboratory at ECE Department Allen-Bradley PLC



PLC Laboratory at ECE Department Control Experiment Station



Security of Control Systems Control Networks

• Overview





Review Questions What are service models of the network?



Review Questions What are service models of the network?


• Best effort

– no service guarantees

– e.g. Internet

• Probabilistic guarantees

– statistical guarantees of performance parameters

– e.g. DiffServ (Differentiated Services QoS model)

• Absolute guarantees

– guarantees of performance parameters

– e.g. IntServ (Integrated Services QoS model), ATM


Review Questions What are latency characteristics of applications?



Review Questions What are latency characteristics of applications?


• Best effort

– delay insensitive

– e.g. e-mail

• Interactive

– e.g. web browsing

• Real-time

– e.g. process control

• Deadline

– e.g. remote backup


Control Networks Overview

• Characteristics of control networks

– severe failure consequence

– low RTT tolerance; 0.1 – 10 ms

– hostile conditions; dust, heat, vibration

– small size APDU – application protocol data unit

• Three generation of control network protocols

– serial-based fieldbus

– Ethernet-based

– wireless-based

• There about 150-200 control network protocols


[GH2013]


Control Networks Comparison of Control and Communication Nets


[GH2013]

Enhanced Performance Architecture


Control Networks Major List

• Controller Area Network – CAN

• CANopen

• ControlNet

• DeviceNet

• EtherNet/IP

• PROFIBUS

• PROFINET

• INTERBUS

• WorldFIP


[GH2013]


Security of Control Systems Control Network Security

• Overview





Past Challenges in Control Systems Selected Chronology

1999 Bellingham, WA pipeline explosion

2000 Maroochy Shire sewage spill

2003 David-Besse nuclear plant: Slammer worm

2003 Northeast power blackout: SCADA malfunction

2003 CSX train signalling malfunction: Sobig virus

2005 Chrysler assembly line shutdown: Zotob worm

2005 Taum Sauk dam breach: erroneous readings

2006 LA traffic light hacking

2010 Stuxnet worm


[SFS2013]


Maroochy Shire Sewage Spill Overview

• First known control system attack

• Events in Maroochy Shire in Queensland, Australia

• Vitek Boden – attacker

– resigned from Hunter Watertech in Dec. 1999

• firm installing SCADA for water systems for the city

– denied for employment by City Council in Jan. 2000

• Altered data in the sewerage pumping stations

• 800,000 liters of raw sewage to spill out

• Eventually caught and sentenced to 2 years in jail


[http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf]


Stuxnet Worm Overview

• First malicious logic that was used as a cyber-weapon

– became public in 2010

• Designed to alter operation of nuclear power plant

• Targeted uranium enrichment facility at Natanz, Iran

– attack success is unclear

• Part of the Operation Olympic Games

– a cyber warfare program started in 2001

• Speculated US, Israel, and EU behind it

– ref: David A. Sanger, NYT article, June 2012


[MMD+2013, FMC2013]


Stuxnet Worm Evolution

• Code believed to be compiled in 2001


[MMD+2013, FMC2013]

Version Date Description

0.500 3 Nov. 2005 Command & control server registration

0.500 15 Nov. 2007 Submit date to a public scanning service

0.500 4 Jul. 2009 Infection stop date

1.001 22 Jun. 2009 Main binary compile timestamp

1.100 1 Mar. 2010 Main binary compile timestamp

1.101 14 Apr. 2010 Main binary compile timestamp


Stuxnet Worm Details

• Stuxnet targets PLC

– version 0.5 targets centrifuge valves

– version 1.x targets speed of the centrifuges

• Stuxnet worm replication

– all versions replicate through Siemens S7 PLC files and USB

– later versions also utilized Windows vulnerabilities

• Command and control servers

– version 0.5: smartclick.org, best-advertising.net, internetadvertising4u.com, ad-marketing.net

– version 1.x: www.mypremierfutbol.com, www.todaysfutbol.com


[MMD+2013, FMC2013]


Stuxnet Worm Attack Process for Version 0.5

• Sophisticated and intelligent


[MMD+2013, FMC2013]


Cyber Warfare Future

• Side effects

– Chevron also impacted by Stuxnet

• More is on the way

– Duqu, Flame, Gauss identified

– scanning and stealing information from industrial plants

• Getting more sophisticated and stealthy

– 500 KB Stuxnet vs. 20 MB Flame

– Flame using Windows patch to install

• Other scenarios?


[http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet]


Control Network Security Defense in Depth Network Structure

• Defense in depth utilizes multiple layers


[GH2013]


Control Network Security Defense using Demilitarized Zone (DMZ)


[GH2013]


References and Further Reading

• [GH2013] Brendan Galloway and Gerhard P. Hancke, “Introduction to Industrial Control Networks,” IEEE Communications Surveys & Tutorials, Volume 15, Issue 2, pp. 860 – 880, 2nd Quarter 2013.

• [M2005] Ann Miller, “Trends in Process Control Systems Security,” IEEE Security & Privacy Magazine, Volume 3, Issue 5, pp. 57 – 60, September/October 2005.

• [ILW2006] Vinay M. Igure, Sean A. Laughter, and Ronald D. Williams, “Security issues in SCADA networks,” Computers & Security, Volume 25, Issue 7, pp. 498 – 506, October 2006.

• [CK2016] Edward J. M. Colbert and Alexander Kott, Cyber-security of SCADA and Other Industrial Control Systems, Springer International Publishing, 2016.



References and Further Reading

• [E2005] Kelvin T. Erickson, “Programmable Logic Controllers: An Emphasis on Design and Application”, Dogwood Valley Press, 2005

• [DHS] http://www.dhs.gov/critical-infrastructure-sectors

• [MMD+2013] Geoff McDonald, Liam O Murchu, Stephen Doherty, and Eric Chien, “Stuxnet 0.5:The Missing Link,” Symantec White Paper, February 2013.

• [FMC2013] Nicolas Falliere, Liam O Murchu, and Eric Chien, “W32.Stuxnet Dossier,” Symantec White Paper, February 2011.

• [SPL+2015] Keith Stouffer, Victoria Pillitteri, Suzanne Lightman, Marshall Abrams, and Adam Hahn , “Guide to Industrial Control Systems (ICS) Security,” NIST SP 800-82 Rev. 2, May 2015. http://dx.doi.org/10.6028/NIST.SP.800-82r2

• https://ics-cert.us-cert.gov/Control-System-Security-Server-Documentation



End of Foils


cpe6510 - security of control systemsweb.mst.edu/~cetinkayae/teaching/cpe6510spring2017/... ·...

Documents