cpe6510 - security of control systemsweb.mst.edu/~cetinkayae/teaching/cpe6510spring2017/... ·...
TRANSCRIPT
© Egemen K. Çetinkaya
Resilient Networks Missouri S&T University CPE 6510
Security of Control Systems
Egemen K. Çetinkaya
Department of Electrical & Computer Engineering
Missouri University of Science and Technology
http://web.mst.edu/~cetinkayae/teaching/CPE6510Spring2017
13 April 2017 rev. 17.0 © 2014–2017 Egemen K. Çetinkaya
© Egemen K. Çetinkaya
Security of Control Systems Outline
• Overview
• Control networks
• Control network security
MST CPE 6510 – Security of Control Systems 13 April 2017 2
© Egemen K. Çetinkaya
Security of Control Systems Overview
• Overview
• Control networks
• Control network security
MST CPE 6510 – Security of Control Systems 13 April 2017 3
© Egemen K. Çetinkaya
Control Systems Definition
• Control system function
– control
• process, procedure
– monitor
• alarms, events
– recording
• trend, production
• Process – sequence of chemical, physical, or biological activities
– for conversion, transport, or storage
– of material or energy
13 April 2017 MST CPE 6510 – Security of Control Systems 4
[E2005]
© Egemen K. Çetinkaya
Critical Infrastructures Sectors
• Chemical
• Commercial facilities
• Communications
• Critical manufacturing
• Dams
• Defense industrial base
• Emergency services
• Energy
13 April 2017 MST CPE 6510 – Security of Control Systems 5
• Financial services
• Food and agriculture
• Government facilities
• Healthcare and public health
• Information technology
• Nuclear
• Transportation systems
• Water and wastewater systems
[DHS]
© Egemen K. Çetinkaya
Control Systems Block Diagram
• Basic elements ?
13 April 2017 MST CPE 6510 – Security of Control Systems 6
___ ___ ___
___
___ ___
© Egemen K. Çetinkaya
Control Systems Block Diagram
• Basic elements
13 April 2017 MST CPE 6510 – Security of Control Systems 7
controller actuator process
sensor
input output
© Egemen K. Çetinkaya
Control Systems Step Response
• Step response to
13 April 2017 MST CPE 6510 – Security of Control Systems 8
2
1
2 10s s
desired amplitude
rise time settling time
peak time
overshoot ss error steady-state
amplitude error band
© Egemen K. Çetinkaya
Step Function MATLAB Code
M = 1; % units of kg
K = 10; % units of N/m
B = 2; % units of N-s/m
num = 1;
den = [M B K];
sys = tf(num,den)
step(sys);
13 April 2017 MST CPE 6510 – Security of Control Systems 9
[http://ctms.engin.umich.edu/CTMS/index.php?aux=Extras_step]
© Egemen K. Çetinkaya
Control Systems Types
• Process types – continuous: continuous flow of materials – batch: finite quantities of material – discrete parts: finite quantities of parts
• Control system technologies – SCADA: supervisory control and data acquisition – DCS: distributed control system
• evolved from the needs of continuous process
– PLC: programmable logic controller • evolved from the needs of batch and discrete manufacturing
– PAC: programmable automation controller • combines DCS & PLC, uses C/C++ rather than ladder logic
– others: relays, computers
13 April 2017 MST CPE 6510 – Security of Control Systems 10
[E2005]
© Egemen K. Çetinkaya
Control Systems SCADA
• Controls dispersed assets
• Centralized data acquisition is as important
• SCADA components
– SCADA Server or Master Terminal Unit (MTU)
– Remote Terminal Unit (RTU)
• data acquisition and control unit to support remote stations
– Human Machine Interface (HMI)
• provides centralized monitoring and control system
– communication routers and links
13 April 2017 MST CPE 6510 – Security of Control Systems 11
© Egemen K. Çetinkaya
Control Systems SCADA Architecture for Offshore Oil Platforms
13 April 2017 MST CPE 6510 – Security of Control Systems 12
[M2005]
© Egemen K. Çetinkaya
Control Systems Distributed Control Systems
• Control systems within the same geographic location
• A DCS uses a centralized supervisory control loop
– to mediate a group of localized controllers
– that share carrying out task of an entire production process
• Distributed controllers control their process actuators
– based on control server commands and sensor feedback
– examples of controllers:
• PLC, process controller, machine controller
• DCS is interfaced with the corporate network
13 April 2017 MST CPE 6510 – Security of Control Systems 13
© Egemen K. Çetinkaya
Control Systems PLC
• Initially developed for automotive industry – late 1960s
• PLC architecture – CPU – memory – power – communication interface – I/O modules
• Generally utilizes ladder logic – textual PLC programming languages
• structured text language; high-level language • instruction list language; similar to assembly
13 April 2017 MST CPE 6510 – Security of Control Systems 14
[E2005]
© Egemen K. Çetinkaya
PLC Laboratory at ECE Department Allen-Bradley PLC
13 April 2017 MST CPE 6510 – Security of Control Systems 15
© Egemen K. Çetinkaya
PLC Laboratory at ECE Department Control Experiment Station
13 April 2017 MST CPE 6510 – Security of Control Systems 16
© Egemen K. Çetinkaya
PLC Laboratory at ECE Department Control Experiment Station
13 April 2017 MST CPE 6510 – Security of Control Systems 17
© Egemen K. Çetinkaya
Security of Control Systems Control Networks
• Overview
• Control networks
• Control network security
MST CPE 6510 – Security of Control Systems 13 April 2017 18
© Egemen K. Çetinkaya
Review Questions What are service models of the network?
13 April 2017 MST CPE 6510 – Security of Control Systems 19
© Egemen K. Çetinkaya
Review Questions What are service models of the network?
13 April 2017 MST CPE 6510 – Security of Control Systems 20
• Best effort
– no service guarantees
– e.g. Internet
• Probabilistic guarantees
– statistical guarantees of performance parameters
– e.g. DiffServ (Differentiated Services QoS model)
• Absolute guarantees
– guarantees of performance parameters
– e.g. IntServ (Integrated Services QoS model), ATM
© Egemen K. Çetinkaya
Review Questions What are latency characteristics of applications?
13 April 2017 MST CPE 6510 – Security of Control Systems 21
© Egemen K. Çetinkaya
Review Questions What are latency characteristics of applications?
13 April 2017 MST CPE 6510 – Security of Control Systems 22
• Best effort
– delay insensitive
– e.g. e-mail
• Interactive
– e.g. web browsing
• Real-time
– e.g. process control
• Deadline
– e.g. remote backup
© Egemen K. Çetinkaya
Control Networks Overview
• Characteristics of control networks
– severe failure consequence
– low RTT tolerance; 0.1 – 10 ms
– hostile conditions; dust, heat, vibration
– small size APDU – application protocol data unit
• Three generation of control network protocols
– serial-based fieldbus
– Ethernet-based
– wireless-based
• There about 150-200 control network protocols
13 April 2017 MST CPE 6510 – Security of Control Systems 23
[GH2013]
© Egemen K. Çetinkaya
Control Networks Comparison of Control and Communication Nets
13 April 2017 MST CPE 6510 – Security of Control Systems 24
[GH2013]
Enhanced Performance Architecture
© Egemen K. Çetinkaya
Control Networks Major List
• Controller Area Network – CAN
• CANopen
• ControlNet
• DeviceNet
• EtherNet/IP
• PROFIBUS
• PROFINET
• INTERBUS
• WorldFIP
13 April 2017 MST CPE 6510 – Security of Control Systems 25
[GH2013]
© Egemen K. Çetinkaya
Security of Control Systems Control Network Security
• Overview
• Control networks
• Control network security
MST CPE 6510 – Security of Control Systems 13 April 2017 26
© Egemen K. Çetinkaya
Past Challenges in Control Systems Selected Chronology
1999 Bellingham, WA pipeline explosion
2000 Maroochy Shire sewage spill
2003 David-Besse nuclear plant: Slammer worm
2003 Northeast power blackout: SCADA malfunction
2003 CSX train signalling malfunction: Sobig virus
2005 Chrysler assembly line shutdown: Zotob worm
2005 Taum Sauk dam breach: erroneous readings
2006 LA traffic light hacking
2010 Stuxnet worm
13 April 2017 MST CPE 6510 – Security of Control Systems 27
[SFS2013]
© Egemen K. Çetinkaya
Maroochy Shire Sewage Spill Overview
• First known control system attack
• Events in Maroochy Shire in Queensland, Australia
• Vitek Boden – attacker
– resigned from Hunter Watertech in Dec. 1999
• firm installing SCADA for water systems for the city
– denied for employment by City Council in Jan. 2000
• Altered data in the sewerage pumping stations
• 800,000 liters of raw sewage to spill out
• Eventually caught and sentenced to 2 years in jail
13 April 2017 MST CPE 6510 – Security of Control Systems 28
[http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf]
© Egemen K. Çetinkaya
Stuxnet Worm Overview
• First malicious logic that was used as a cyber-weapon
– became public in 2010
• Designed to alter operation of nuclear power plant
• Targeted uranium enrichment facility at Natanz, Iran
– attack success is unclear
• Part of the Operation Olympic Games
– a cyber warfare program started in 2001
• Speculated US, Israel, and EU behind it
– ref: David A. Sanger, NYT article, June 2012
13 April 2017 MST CPE 6510 – Security of Control Systems 29
[MMD+2013, FMC2013]
© Egemen K. Çetinkaya
Stuxnet Worm Evolution
• Code believed to be compiled in 2001
13 April 2017 MST CPE 6510 – Security of Control Systems 30
[MMD+2013, FMC2013]
Version Date Description
0.500 3 Nov. 2005 Command & control server registration
0.500 15 Nov. 2007 Submit date to a public scanning service
0.500 4 Jul. 2009 Infection stop date
1.001 22 Jun. 2009 Main binary compile timestamp
1.100 1 Mar. 2010 Main binary compile timestamp
1.101 14 Apr. 2010 Main binary compile timestamp
© Egemen K. Çetinkaya
Stuxnet Worm Details
• Stuxnet targets PLC
– version 0.5 targets centrifuge valves
– version 1.x targets speed of the centrifuges
• Stuxnet worm replication
– all versions replicate through Siemens S7 PLC files and USB
– later versions also utilized Windows vulnerabilities
• Command and control servers
– version 0.5: smartclick.org, best-advertising.net, internetadvertising4u.com, ad-marketing.net
– version 1.x: www.mypremierfutbol.com, www.todaysfutbol.com
13 April 2017 MST CPE 6510 – Security of Control Systems 31
[MMD+2013, FMC2013]
© Egemen K. Çetinkaya
Stuxnet Worm Attack Process for Version 0.5
• Sophisticated and intelligent
13 April 2017 MST CPE 6510 – Security of Control Systems 32
[MMD+2013, FMC2013]
© Egemen K. Çetinkaya
Cyber Warfare Future
• Side effects
– Chevron also impacted by Stuxnet
• More is on the way
– Duqu, Flame, Gauss identified
– scanning and stealing information from industrial plants
• Getting more sophisticated and stealthy
– 500 KB Stuxnet vs. 20 MB Flame
– Flame using Windows patch to install
• Other scenarios?
13 April 2017 MST CPE 6510 – Security of Control Systems 33
[http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet]
© Egemen K. Çetinkaya
Control Network Security Defense in Depth Network Structure
• Defense in depth utilizes multiple layers
13 April 2017 MST CPE 6510 – Security of Control Systems 34
[GH2013]
© Egemen K. Çetinkaya
Control Network Security Defense using Demilitarized Zone (DMZ)
13 April 2017 MST CPE 6510 – Security of Control Systems 35
[GH2013]
© Egemen K. Çetinkaya
References and Further Reading
• [GH2013] Brendan Galloway and Gerhard P. Hancke, “Introduction to Industrial Control Networks,” IEEE Communications Surveys & Tutorials, Volume 15, Issue 2, pp. 860 – 880, 2nd Quarter 2013.
• [M2005] Ann Miller, “Trends in Process Control Systems Security,” IEEE Security & Privacy Magazine, Volume 3, Issue 5, pp. 57 – 60, September/October 2005.
• [ILW2006] Vinay M. Igure, Sean A. Laughter, and Ronald D. Williams, “Security issues in SCADA networks,” Computers & Security, Volume 25, Issue 7, pp. 498 – 506, October 2006.
• [CK2016] Edward J. M. Colbert and Alexander Kott, Cyber-security of SCADA and Other Industrial Control Systems, Springer International Publishing, 2016.
MST CPE 6510 – Security of Control Systems 13 April 2017 36
© Egemen K. Çetinkaya
References and Further Reading
• [E2005] Kelvin T. Erickson, “Programmable Logic Controllers: An Emphasis on Design and Application”, Dogwood Valley Press, 2005
• [DHS] http://www.dhs.gov/critical-infrastructure-sectors
• [MMD+2013] Geoff McDonald, Liam O Murchu, Stephen Doherty, and Eric Chien, “Stuxnet 0.5:The Missing Link,” Symantec White Paper, February 2013.
• [FMC2013] Nicolas Falliere, Liam O Murchu, and Eric Chien, “W32.Stuxnet Dossier,” Symantec White Paper, February 2011.
• [SPL+2015] Keith Stouffer, Victoria Pillitteri, Suzanne Lightman, Marshall Abrams, and Adam Hahn , “Guide to Industrial Control Systems (ICS) Security,” NIST SP 800-82 Rev. 2, May 2015. http://dx.doi.org/10.6028/NIST.SP.800-82r2
• https://ics-cert.us-cert.gov/Control-System-Security-Server-Documentation
MST CPE 6510 – Security of Control Systems 13 April 2017 37
© Egemen K. Çetinkaya
End of Foils
MST CPE 6510 – Security of Control Systems 13 April 2017 38