![Page 1: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/1.jpg)
Modelling versus remote hybrid test bed
E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca
Efficiency of electrical grids under cyber attacks on their SCADA Rome, 16th December 2014
![Page 2: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/2.jpg)
Summary
Brief introduction of SCADA
Common security problems of SCADA
Typical attacks on SCADA devices
Modelling limits
Towards test bed : Enea test bed
Cyber attacks on a SCADA subset
Effects of attacks on SCADA devices
2
![Page 3: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/3.jpg)
SCADA system architecture
SCADA (Supervisory Control And Data Acquisition)
systems are designed to:
Collect field information by means local processor
(PLC/ RTU);
Transfer the information to a central computer (SCADA
Control Server);
Display the information to the operator graphically or
textually (HMI);
Allow the operator to monitor and control an entire
system from a central location in real time.
All the components of the SCADA systems are
connected by:
Serial Line, Ethernet, Wi-fi with Modbus, DNP3, OPC
protocols 3
![Page 4: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/4.jpg)
Corporate network & SCADA
4
SCADA System
Local Processors:
PLC/RTU
Local Processors: PLC/RTU
Centralized Control: HMI+SCADA Control Server
![Page 5: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/5.jpg)
Cyber security on SCADA system (1/3)
In the past years, SCADA systems operated in closed and
proprietary networks. For instance, Modbus, a common SCADA
protocol, was originally designed for use only within simple
process control networks to enable low speed serial
communications between clients and servers
In recent years, the rapid development of Information
Communication Technology (ICT) has carry out to full integration
of telecommunication networks over IP protocol (e.g. Modbus
on TCP/IP)
In this new scenario SCADA system is not isolated but it is
exposed to a series of attacks due to its insecure design
5
![Page 6: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/6.jpg)
Cyber security on SCADA system (2/3)
Common problems on SCADA system
Lack of Authentication
None AUTH or simple with default login/password (e.g. user/user)
A lot of open service with anonymous access or simple account (e.g. FTP service)
No encryption used: all protocols are clear test
SCADA systems are vulnerable to cyber attacks on the different layers:
Host level (e.g. Software vulnerability of OS and Applications)
Network level (e.g. Modbus does not have any security features like Authentication and Encryption)
6
![Page 7: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/7.jpg)
Cyber attacks on SCADA system (3/3)
Host level attacks examples:
Old or not patched Operating Systems and Application are vulnerable to buffer overflow and SQL injection attacks causing:
Corruption of the correct behavior of the program (e.g. incorrect data monitoring or data visualization and so on)
Modifying the database content (e.g. login and password of the administration users, setpoint configuration )
Network level attacks examples:
Denial of Service (DoS): the attacker send a lot of service requests in a short time to the server and so slow down the server resources
Man In The Middle (MITM): the attacker intercepts the traffic between two SCADA devices (e.g. HMI and SCADA Control Center or SCADA Control Center and PLC), which believed to exchange information with the legitimate interlocutor, but indeed the attacker may sniff the information and/or send false messages (e.g. sniffing SCADA login/password, view or modifying command or data monitoring)
Consequences of attacks:
Loss of / fake observability: if the SCADA Control Center can’t receive or receive false packets from PLC
Loss of / fake controllability: if PLC/RTU can’t receive or receive false packets from SCADA Control Center
7
![Page 8: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/8.jpg)
Modelling describes in a simplified way corporate network
and SCADA element state related to cyber security, attack and consequences scenarios, and the impact of incorrect functioning of such elements on quality of service indicators SCADA and of electrical grid.
Modelling assumptions miss to realistically reproduce cyber attacks and their propagation on corporate network and SCADA devices
8
Modelling limits
![Page 9: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/9.jpg)
9
ENEA test bed architecture (1/2)
ENEA test bed is based on a switched LAN
The LAN is configured with a private IP address plan provided by the
IEC for coexistence of IPSEC VPN connection with remote sites
HMI
IP: 172.27.228.10
SCADA Control Server
IP: 172.27.228.3
Attacker
IP: 172.27.228.9
NIDS
IP: 172.27.228.11
VPN gateway provided
by Virtual Machine
IP: 172.27.228.1
IEC
PLC
IP: 172.27.228.102
IP: 172.27.228.103
LAN 172.27.228.0/24 provided by IEC
![Page 10: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/10.jpg)
10
ENEA test bed architecture (2/2)
ENEA test bed is costituted by :
• Human Machine Interface (HMI)
• SCADA Control Server
• Programmable Logic Controller (PLC)
• Attacker
• Network Intrusion Detection System (NIDS)
HMI
IP: 172.27.228.10
SCADA Control Server
IP: 172.27.228.3
Attacker
IP: 172.27.228.9
NIDS
IP: 172.27.228.11
VPN gateway provided
by Virtual Machine
IP: 172.27.228.1
IEC
LAN 172.27.228.0/24 provided by IEC
PLC
IP: 172.27.228.102
IP: 172.27.228.103
![Page 11: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/11.jpg)
PLC: hardware architecture
11
Modicon M340 PLC hardware architecture:
1. Rack with 4 slot
2. Power supply
3. Processor with USB and Ethernet interface (BMX P34 CPU B)
4. Discrete I/O module
5. Ethernet RTU Module (BMX NOR 0200H)
![Page 12: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/12.jpg)
How to manage Modicon M340 PLC?
Remote diagnostic and monitoring via built-in WEB server and SCADA system
Remote programming and downloading of control program with Unity Pro software
Downloading configuration file via FTP protocol via built-in FTP server on the Ethernet RTU Module (BMX NOR 0200H)
13
PLC: configuration and remote management
HMI
SCADA Control Server Unity Pro
PLC
LAN 172.27.228.0/24 provided by IEC
![Page 13: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/13.jpg)
14
PLC: remote web management
![Page 14: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/14.jpg)
Cyber attacks strategy
To conduct an attack on SCADA system:
It is useful to make a Information Gathering:
Need to find information about the architecture of SCADA system and its components: IP address, MAC address, open services, software versions
This research is typically achieved through tools such as Nmap, Ettercap, SNMPcheck, Wireshark
Based on the results obtained from the previous operation you choose the best strategy of attack
Very often one does not even need a sophisticated attack but simply exploits badly made configurations or configurations left with default parameters
15
![Page 15: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/15.jpg)
First step, before to define the kind of the cyber attack to implement, we need to perform an information gathering
Using Nmap tool by means of Kali Linux on the attacker machine, we have conducted information gathering and vulnerability assessment on ENEA test bed
In particular, a depth scan was carry out on PLC, with default configuration, to discover potential vulnerabilities
By means of Nmap scan, we have discovered some PLC enabled services to analyze in depth:
HTTP service
SNMPv1 service
FTP service
16
Information Gathering (1/2)
HMI
IP: 172.27.228.10
SCADA Control Server
IP: 172.27.228.3
Attacker
IP: 172.27.228.9
NIDS
IP: 172.27.228.11
PLC
IP: 172.27.228.102
IP:172.27.228.103
LAN 172.27.228.0/24 provided by IEC
![Page 16: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/16.jpg)
17
Information Gathering (2/2)
![Page 17: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/17.jpg)
18
SNMP service: in-depth analysis (1/4)
The SNMP (Simple Network Management Protocol) is
used for network management
The community string ‘read only’, configured in the PLC
device, is ‘public’ so it is easy to get any information on
the PLC with a generic SNMP tool
The knowledge of the community string ‘write’,
configured in the PLC device, allows to modify the PLC
configuration
No encryption of the data exchange and no
authentication with user and password in SNMP v1
![Page 18: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/18.jpg)
19
Using the tool SNMPcheck with ‘-w’ option has been
verified that the SNMP service on the PLC has the
community string ‘write’ defined public
The write community string defined as public exposes
the device to potential configuration changes by
attackers
SNMP service: in-depth analysis (2/4)
![Page 19: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/19.jpg)
20
After discovering that a device is listening on UDP port
161, an SNMP enumeration tool, like SNMPwalk, can be
used to extract information from the device.
SNMP service: in-depth analysis (3/4)
![Page 20: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/20.jpg)
21
In information gathering campaign, we have discovered
that the PLC has the community string write defined
public so it is very simple to enforce the change of
parameters
Using SNMPset tool, we may change via SNMP some
device parameters (e.g. system name, IP address and
so on)
SNMP service: in-depth analysis (4/4)
![Page 21: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/21.jpg)
22
Syn Flood attack (1/2)
Syn Flood is a DoS attack
Attacker sends a lot of SYN requests to the target
machine (in this case PLC) but it does not return the
ACK. The target machine could exhaust all its memory
resources only for waiting for a response that will never
happen
Switch
HMI IP:172.27.228.10
Attacker IP: 172.27.228.9
PLC
IP: 172.27.228.102
IP: 172.27.228.103
![Page 22: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/22.jpg)
23
Syn Flood attack (2/2)
Syn Flood attack has been carry out by means of Kali Linux using
‘hping3’ tool
Switch
HMI IP:172.27.228.10
Attacker IP: 172.27.228.9
PLC
IP: 172.27.228.102
IP: 172.27.228.103
![Page 23: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/23.jpg)
24
Syn Flood attack: Effects
The Syn Flood attack causes a slowdown of PLC responses or
distruction of network traffic between PLC and management stations
(like SCADA Control Server and configuration software machine)
Communication Error: Unable to retrieve status of the PLC: unexpected disconnection possible. Select Connect to establish the connection. Select Cancel to return to the offline mode
Connect Cancel
Invalid PLC IP address or PLC is busy or support disabled
![Page 24: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/24.jpg)
25
DoS attacks consequences on SCADA system
Consequences on SCADA system:
Loss of controllability: if PLC/RTU can’t receive
packets from SCADA Control Server
Loss of observability: if the SCADA Control Server
can’t receive packets from PLC/RTU
![Page 25: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/25.jpg)
MITM attack by means Ettercap
To perform MITM attack in the switched network LAN, we have used Ettercap, supplied by Kali Linux distribution
Ettercap is a network manipulation tool used to perform several kinds of attacks
Password sniffing for many network protocols
Characters injection
Packet filtering and others
26
Switch
HMI IP:172.27.228.10
MAC:00-50-8b-ac-09-7c
Attacker IP:172.27.228.9
MAC: 00-14-5e-1e-1d-5e
PLC
IP:172.27.228.103
MAC:00-80-f4-11-5d-68
![Page 26: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/26.jpg)
MITM attack against an FTP session (1/3)
Attacker, using Ettercap, captures all traffic going from HMI to
PLC
Ettercap poisons the ARP cache on each machine and all
Ethernet traffic is intercepted
Ettercap automatically extracts the login and password from any
active connection
27
Switch
HMI IP:172.27.228.10
MAC: 00-50-8b-ac-09-7c
Attacker IP: 172.27.228.9
MAC: 00-14-5e-1e-1d-5e
PLC
IP: 172.27.228.103
MAC: 00-80-f4-11-5d-68
![Page 27: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/27.jpg)
MITM attack against an FTP session (2/3)
HMI starts an FTP session to PLC and logs in
28
Switch
HMI IP:172.27.228.10
MAC: 00-50-8b-ac-09-7c
Attacker IP: 172.27.228.9
MAC: 00-14-5e-1e-1d-5e
PLC
IP: 172.27.228.103
MAC: 00-80-f4-11-5d-68
![Page 28: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/28.jpg)
MITM attack against an FTP session (3/3)
Ettercap shows us the login and password that are sent
in clear text in the FTP session
29
![Page 29: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/29.jpg)
30
MITM attacks consequences on SCADA system
Consequences on SCADA system:
Fake controllability: PLC/RTU receives fake packets
from SCADA Control Server
Fake observability: SCADA Control Server receives
fake packets from PLC/RTU
![Page 30: Modelling versus remote hybrid test bedModelling versus remote hybrid test bed E.Ciancamerla, B. Fresilli, M. Minichino, T.Patriarca Efficiency of electrical grids under cyber attacks](https://reader030.vdocument.in/reader030/viewer/2022040410/5eced8b70e2bd5210370c350/html5/thumbnails/30.jpg)
Thank you for your attention