SWaT:AWaterTreatmentTestbedforResearchandTrainingonICSSecurity

NilsTippenhauer AdityaPMathur

April11,2016

CySWater2016 Vienna

iTrust CenterforResearchinCyberSecurity SingaporeUniversityofTechnologyandDesign Singapore

ProjectsCYPROandASPIRE:LongTermGoal

DesignrobustmechanismsfordefendingCyberPhysicalSystems.

2

FocusAreas

WatertreatmentanddistribuQonsystems

3

ElectricpowergeneraQon,transmission

anddistribuQonsystems Thistalk

Robotsandrobotswarms

Testbeds

Testbeds

4

TestbedsforResearchSupport

§  WaterdistribuQon[OperaQonalbyApril15,2016]

5

§  ElectricpowergeneraQon,transmissionanddistribuQon[OperaQonalbyendof2016]

§  Watertreatment[OperaQonal]

§  IoT[OperaQonalbyJune2016]

Researchfocus

§  CreaQonofaZackerandaZackmodelsforCPS

6

§  UnderstandingtheimpactofaZacks

§  DesignofrobustdetecQonmechanisms

§  DesignofulQmatedefensemechanisms

CollaboraQonwithMITandImperial

SWaT

7

https://www.youtube.com/watch?v=2r1ctjULCnI&feature=youtu.be

SWaT:SecureWaterTreatmentTestbed

8

Raw WaterTank Pump

UF FeedPump

HCL NaOCl NaCl

StaticMixer

P1P2

UF FeedTank

UltrafiltrationUnit (UF)

RO FeedTank

RO FeedPump

Ultraviolet (UV)Dechlorinator

CartridgeFilter

RO BoostPump

Reverse Osmosis (RO)Unit

Raw PermeateTank

UF backwashTank

P3

UF backwashPumpR

P Waterrecycled

NaHSO3 P4

P5P6

P: Permeate R: Reject

Chemical dosing station

Chemical tanks and dosing pumps

P101P201

P301

P205P203

P401

P501P602

LIT101

LIT301

LIT401

FIT201, AIT201x

FIT401x

AIT202, AIT 203x

DPIT301

x x

AIT402 x

AIT503x

AIT504x

SWaT:CommunicaQons

9

AZacks

10

AZack:Reconnaissance

11

§  AccesstolocalplantcommunicaQonnetwork

§  WiresharkandZenmapused

§  Mappedlocalnetworkingsetup;determinedavailableservices.

§  AnonymousFTPloginenabledthediscoveryofhidden

§  filesthatappeartocontainthecompleteHMIconfiguraQon

§  Sensorandactuatorcommandscaptured

AZack:Compromisethroughwirelessnetwork

12

§  AZackerinphysicalproximity(withinWiFirange)

§  Accesspoint:MOXAAWK-5222-EU;WPA2securityschemewithpre-sharedkeys.

§  Performbrute-forceaZackoreviltwinaZack.

§  WebinterfaceforPLCconfiguraQonhadadefaultpasswordusingwhichWiFipasswordcanbeobtainedquickly.

§  Sensorandactuatorcommandscaptured

AZack:CompromisethroughDirectPhysicalAccess

13

§  AZackerhasdirectphysicalaccess

§  Re-wiringthenetworkpossible

§  SDcardslotscanbeusedtoupdatecontrollogic

§  Sensorandactuatorcommandscaptured

Impactanalysis

14

SinglePointAZacks

15

Impact:Componentsaffected

16

Q:HowdoesanaZackonasinglecomponentaffecttheremainingcomponents?

PrioriQzesecurityefforts.

FlowratereducQon

17

Q:HowdoestheflowratechangewhenLIT401isaZacked?

OverflowifaZacknotdetected

DetecQonanddefense

18

§  ReconfiguraQoncontrolfordefenseuponaZackdetecQonisunderdesign.

§  DetecQonmechanismsforSSSPandSSMPaZackshavebeendevelopedandtestedtobefoundeffecQve.

§  DetecQonmechanismsforMSSPandMSMPaZacksisunderdesign.

Summary

19

§  AZackermodelenablesaclearspecificaQonofthespaceofcyberand

physicalaZacksfeasibleonaCPS.

§  AZackspaceispotenQallyinfinite,anaZackermodelallowslimiQngthe

aZackspace,byconstrainingtoafinitenumberofpoints.

§  LimiQngtheaZackspaceallowsadesignerofdefensemechanismstofocus

onfinitedomainsforaZackdesign.

§  RealisQctestbedsallowextensiveexperimentaQonwithrealisQcaZacks

andthedesignofeffecQvedetecQonanddefensemechanisms.

QuesQons?

20