swat: a water treatment testbed for research and … · swat: a water treatment testbed for ......
TRANSCRIPT
SWaT:AWaterTreatmentTestbedforResearchandTrainingonICSSecurity
NilsTippenhauer AdityaPMathur
April11,2016
CySWater2016 Vienna
iTrust CenterforResearchinCyberSecurity SingaporeUniversityofTechnologyandDesign Singapore
FocusAreas
WatertreatmentanddistribuQonsystems
3
ElectricpowergeneraQon,transmission
anddistribuQonsystems Thistalk
Robotsandrobotswarms
Testbeds
TestbedsforResearchSupport
§ WaterdistribuQon[OperaQonalbyApril15,2016]
5
§ ElectricpowergeneraQon,transmissionanddistribuQon[OperaQonalbyendof2016]
§ Watertreatment[OperaQonal]
§ IoT[OperaQonalbyJune2016]
Researchfocus
§ CreaQonofaZackerandaZackmodelsforCPS
6
§ UnderstandingtheimpactofaZacks
§ DesignofrobustdetecQonmechanisms
§ DesignofulQmatedefensemechanisms
CollaboraQonwithMITandImperial
SWaT:SecureWaterTreatmentTestbed
8
Raw WaterTank Pump
UF FeedPump
HCL NaOCl NaCl
StaticMixer
P1P2
UF FeedTank
UltrafiltrationUnit (UF)
RO FeedTank
RO FeedPump
Ultraviolet (UV)Dechlorinator
CartridgeFilter
RO BoostPump
Reverse Osmosis (RO)Unit
Raw PermeateTank
UF backwashTank
P3
UF backwashPumpR
P Waterrecycled
NaHSO3 P4
P5P6
P: Permeate R: Reject
Chemical dosing station
Chemical tanks and dosing pumps
P101P201
P301
P205P203
P401
P501P602
LIT101
LIT301
LIT401
FIT201, AIT201x
FIT401x
AIT202, AIT 203x
DPIT301
x x
AIT402 x
AIT503x
AIT504x
AZack:Reconnaissance
11
§ AccesstolocalplantcommunicaQonnetwork
§ WiresharkandZenmapused
§ Mappedlocalnetworkingsetup;determinedavailableservices.
§ AnonymousFTPloginenabledthediscoveryofhidden
§ filesthatappeartocontainthecompleteHMIconfiguraQon
§ Sensorandactuatorcommandscaptured
AZack:Compromisethroughwirelessnetwork
12
§ AZackerinphysicalproximity(withinWiFirange)
§ Accesspoint:MOXAAWK-5222-EU;WPA2securityschemewithpre-sharedkeys.
§ Performbrute-forceaZackoreviltwinaZack.
§ WebinterfaceforPLCconfiguraQonhadadefaultpasswordusingwhichWiFipasswordcanbeobtainedquickly.
§ Sensorandactuatorcommandscaptured
AZack:CompromisethroughDirectPhysicalAccess
13
§ AZackerhasdirectphysicalaccess
§ Re-wiringthenetworkpossible
§ SDcardslotscanbeusedtoupdatecontrollogic
§ Sensorandactuatorcommandscaptured
Impact:Componentsaffected
16
Q:HowdoesanaZackonasinglecomponentaffecttheremainingcomponents?
PrioriQzesecurityefforts.
DetecQonanddefense
18
§ ReconfiguraQoncontrolfordefenseuponaZackdetecQonisunderdesign.
§ DetecQonmechanismsforSSSPandSSMPaZackshavebeendevelopedandtestedtobefoundeffecQve.
§ DetecQonmechanismsforMSSPandMSMPaZacksisunderdesign.
Summary
19
§ AZackermodelenablesaclearspecificaQonofthespaceofcyberand
physicalaZacksfeasibleonaCPS.
§ AZackspaceispotenQallyinfinite,anaZackermodelallowslimiQngthe
aZackspace,byconstrainingtoafinitenumberofpoints.
§ LimiQngtheaZackspaceallowsadesignerofdefensemechanismstofocus
onfinitedomainsforaZackdesign.
§ RealisQctestbedsallowextensiveexperimentaQonwithrealisQcaZacks
andthedesignofeffecQvedetecQonanddefensemechanisms.