cyber security research on industrial control systems. dr. s. m. yiu... · cyber security research...
TRANSCRIPT
Cyber Security Research on Industrial Control Systems
SM Yiu Department of Computer Science
The University of Hong Kong
1
Cyber-security for industry 4.0 conference 23 June, 2017
2
Will the followings only be seen in movies?
Movies: Cyber Hacking (2015); Italian Job (2003)
3
IT IS REAL!
(Defcon Hacking conference 2014)
4
2016 (US): 295 reports of ICS attacks (20% )
Mar: New York dam (control system accessed) April: German nuclear power plant (malware) Light-rail system, ….
5
The purpose of the talk is to raise the awareness of the community on the security
issues of ICS.
6
Key components of an ICS (Guide to Industrial Control System (ICS) Security, NIST, 2015)
7
Numerous attack points
SCADA – a typical ICS (Guide to Industrial Control System (ICS) Security, NIST, 2015)
8
PLC (programmable logic controller)
- A small digital computer used for automation of various electro-mechanical process in industries.
- Specially designed to survive in harsh conditions
- Programs can be written in a computer and downloaded to PLC via a communication link (e.g. cable)
- “hard” real-time system: output produced in response to input conditions within limited time.
9
Is PLC critical? In what systems they are used?
10 Yueng Long Sewage Treatment system
11
Ventilation Control and Monitoring System for Tunnel of subway/railway
(pictures from MTR report)
How easy to hack in PLC?
• PLC are NOT secure:
PLC has no proper protection built in, no authentication nor encryption for the communication protocol.
Able to discover PLC by packet sniffing.
12
Touch panel for floor selection
PLC to control the lift
A Touch panel to control the lift
Sensor to detect the current floor
Switch that connects the PLC and Touch Panel
The PLC that controls the Lift system
Attack to the Lift System
19
Hacker
Connect to the PLC and control the lift directly
NO authentication
Q: Some engineers feel that it is not easy to connect to it because it is a “closed” system, do you agree?
Network capability
Five attacks (4 with demos) 1. DoS attack
– 100 MB/s is already enough to disable PLC to receive any valid commands
– No advanced hacking knowledge needed.
Packet generation program – free from Internet
2. Command injection attack –We connect to PLC directly and generate
random commands to PLC –A little bit more knowledge needed:
replay attack!
3. Control the lift –Take control of the PLC, attacker can
order to lift to whatever level. –Understand the commands from touch
panel to PLC.
4. Manipulate the sensor values –Actively modify the sensor values –More knowledge about the sensor
variables stored in PLC
5. Time bomb: hack the traffic lights – Build a time bomb to turn both lights
for cars and pedestrian green at the same time ONCE A WHILE.
25
Again, a real case in US (Dec 2015).
They examined the traffic light and performed forensic analysis on the PLC …........
26
Surprisingly…..
Event/log Date/time Program last modified Dec 08 2015 3:05pm Program last compiled Dec 08 2015 5:46pm Program last uploaded (by engineer) Dec 08 2015 5:46pm Program last uploaded (by ????) Dec 26 2015 4:18am Accident Dec 26 2015 pm
27
What we can do (our research directions besides attack) ?
- Build a protection layer * Difficulty: low processing power, limited memory/buffer of PLC.
- Add-in a forensic module * For detection and investigation.
28
Building a protection layer
….......
E.g. firewall
(i)
(ii) Light-weight detection module inside the PLC.
Remark: We also have some interesting methods to do forensics (e.g. how to log the events with limited buffers/power)
29
Acknowledgements
<Thank you>
Dr. KP Chow, leader of our research group Our talented research students/engineers - Raymond Chan * - Chun Fai Chan, Ken Yau - Han Yu, Bo Zhang, Yuan Zhang
Our partner: Cisco
** We are more than willing to collaborate with industry for related R&D problems **
Alex Choy, PolyU