Emerging Threats… and how to address them

Dr Paul Smithpaul.smith@ait.ac.at

AIT Austrian Institute of TechnologyDigital Safety and Security Department

Advanced Persistent Cyber-Physical Threats

2

Internet

Anatomy of an Advance Cyber-Physical Threat

• Waterhole attacks

• Infected software• Stolen/insecure

username and password credentials

• Compromise from the internet

• Office PC• Third-party

remote maintenance

• Engineer’s laptop• BYOD

• Well known tools like nmap

• Havex, Stuxnet sniffed traffic

• RAT can keylogcredentials

• Vulnerable operating system

• Vulnerable services on SCADA server, data historian, etc.

• Vulnerable network devices

• Variety of known and unknown vulnerabilities in SCADA devices and software –CVEs, e.g. GE, Siemens, BroadWin

• Inherently vulnerable SCADA protocols

• Devices vulnerable to freeze, shutdown, etc.

Phishing email & social engineering

Phishing email & social engineering

Install Remote Access Trojan (RAT) in office PC

Install Remote Access Trojan (RAT) in office PC

Network mapping & lateral movement

Network mapping & lateral movement

Exploit vulnerability & pivot to SCADA network

Exploit vulnerability & pivot to SCADA network

Deploy SCADA attack payload

Deploy SCADA attack payload

Attack physical system functions

Attack physical system functions

3

Attacker’s controller

Attacker’s Web server

Office Network SCADA Network

Physical Systems

Windows 7Office PC Data

Historian

SCADAHMI PV

Inverter

Motivation: HighCapability: Sophisticated

Motivation: LowCapability: Sophisticated

Motivation: HighCapability: Sophisticated

Motivation: UnpredictableCapability: Limited

Threat Actors – Cyber Attacks

Cyber Criminals Hacktivists

State-Sponsored

ActorsInsiders

4

Motivation: LowCapability: High

Motivation: LowCapability: Sophisticated

Motivation: HighCapability: Sophisticated

Motivation: UnpredictableCapability: Limited

Threat Actors – Cyber-Physical Attacks

Cyber Criminals Hacktivists

State-Sponsored

ActorsInsiders

5

Could this change in the future and why?

A More Open Smart Grid

6

SCADA Communication Protocol Time – Towards Open Standards

More actors, more open interfaces

Standardised SCADA protocols and an increased number of interfaces to operational systems make smart grids vulnerable

to advanced cyber-physical threats

Ransomware of the Future

7

Addressing these Emerging Threats

8

Ris

k M

anag

emen

t

Secu

re A

rchi

tect

ure

Situ

atio

n Aw

aren

ess

Inci

dent

Res

pons

e

Closer IT and OT Integration

Resilience

Risk Management for the Smart Grid

9

ManipulatedQ(U) curve parameters

±5% of thenominal voltage (230V)

Overvoltagesituation

AIT Simulation Message Bus

Power Systems

Simulator

NetworkSimulator

ControlAlgorithm

SyncProxy

Risk assessment is essential to understand how bad can an attack be and how likely is it to happen

The consequences of an attack can be wide-ranging

Co-simulation can be used to identify operational consequence; however, there is a large initial overhead

Future direction: consequence catalogue for cyber-physical attacks to the smart grid

Situation Awareness Points to consider:

Monitoring and detection should be deployed in the IT and OT infrastructure

Open challenge: managing the data deluge

In addition to technology solutions, clear processes are required regarding how they should be used

Future direction: incorporating situation awareness information into the risk management process

10

Detection in Depth

Thre

at S

ophi

stic

atio

n

Limited

Highly Whitelists/Signatures

StatefulAnalysis

AnomalyDetection

KnownAttacks

UnknownAttacks

Attack KnowledgeInformation sharing and analysis is critical to situation awareness

Example Security Information Analytics Platform

Knowledge-based Deviation from set-point (grid specifications)

Rule violations (physical laws; system model)

Dead-sensor clustering (operator-selected time windows)

Data-driven Kullback–Leibler divergence (histogram

over full day)

Single-class SVM (classification – normal vs anomalous)

11

Incident Response

12

Points to consider: Use checklists to ensure incident

response plans are being followed

Practice makes perfect Consider third-party providers in

your incident response plan: everything is going to the Cloud

Incident response plans should include IT and OT departments

Future challenge: digital forensics for industrial control systems is a challenging open issue

Future Direction: Resilient Control

Adaptation of PV controller behaviour, based on security information

Evidential network used to determine system state Dempster-Shafer Theory used to address alert uncertainty

Demonstration in the AIT SmartEST Lab

13

CyberPhysical

Control

In some cases, it may be necessary to perform automatic infrastructure adaptation

Open questions about the optimal way to address cyber-attacks for cyber-physical systems (smart grids)

Conclusion

14

Smart grid stakeholders face new Advanced Persistent Cyber-physicalThreats

These threats are likely to become more prevalent and sophisticated Energy systems become more open Barrier to entry is reduced; attacker tools become commoditized Potential financial gains for cybercriminals – ransomware for systems, not

data Enabling situational awareness and resilience is critical A well-defined and rehearsed incident response plan is a must IT and OT integration is necessary to prepare for these emerging

threats

Symposium on Innovative Smart Grid Cybersecurity Solutions

Presentations on: Risk assessment, situational awareness, privacy issues, smart grid

resilience, … Live demonstrations 13th – 14th March, 2017 in Vienna

15

AIT Austrian Institute of Technologyyour ingenious partner

Dr Paul SmithSenior ScientistDigital Safety & Security Department

paul.smith@ait.ac.at | +43 664 883 90031 | www.ait.ac.at/it-security