security and protection of scada: a bigdata …...security and protection of scada: a bigdata...

Security and Protection of SCADA: A Bigdata Algorithmic

Approach RKShyamasundar

TataInstituteofFundamentalResearchMumbai,India

shyam@tifr.res.in

ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk

Agenda •  Scada-Overview– Attacks,Characteristics

•  LearningfromSTUXNET•  ChallengesofSCADASecurity•  ExistingApproaches•  BigDataApproach– AlgorithmicMethodology–  Scalability

•  Conclusions

Scada(SupervisoryControlAndDataAcquisition):Risks

•  ControlSystems – Nowatahigherriskstocomputerattacksbecausetheirvulnerabilitiesareincreasinglybecomingexposedandavailabletoanever-growingsetofmotivatedandhighly-skilledattacker

•  Miscreantstailortheirattackswiththeaimofdamagingthephysicalsystemsundercontrol

•  EssentiallyaCyberwar

SomeSCADAAttacks

•  March1997:WorcesterAirTrafficCommunicationsAttack

•  January2000:MaroochyShireSewageSpill•  2000and1982:GasPipelinesinRussia(andtheformerSovietUnion)

LeadingtoCyberWarsACMSIN2013,Aksaray,Turkey,Plenary

InvitedTalk

CyberWar•  CyberwarfarehasbeendefinedbygovernmentsecurityexpertRichardA.

Clarke,inhisbookCyberWar(May2010),as"actionsbyanation-statetopenetrateanothernation'scomputersornetworksforthepurposesofcausingdamageordisruption

•  All“big”nationsarecurrentlypreparingforCyberWar–  CyberDefenseCentersestablishedinallthesenationswithintheirmilitary

structure&NATO–  CyberDefenseCentreofExcellenceinEstonia–  CyberDefensepartofnewNATOStrategy(Article5excluded)–  Militaryandgovernmentnetworksarecurrentlybeinghardenedagainst

attacks–  Allnationsand,toandunbelievablelargescale,Chinaaretrainingoffensive

cyberwarpersonnelandarepreparingforoffensiveandefensivecyberwar•  InformationSuperiority:thecapabilitytocollect,process,and

disseminateanuninterruptedflowofinformationwhileexploitingordenyinganadversary'sabilitytodothesame(USArmyVision2010)

SomeCyberWars•  TitanRainwastheU.S.government'sdesignationgiventoaseriesof

coordinatedattacksonAmericancomputersystemssince2003•  Estonia2007CyberattacksonEstoniareferstoaseriesofcyberattacks

thatbeganApril27,2007andswampedwebsitesofEstonianorganizations,includingEstonianparliament,banks,ministries,newspapersandbroadcasters

•  IsraelattackonSyriaDuringthenight,anIsraelitransporthelicopterenteredSyrianairspaceanddroppedateamofShaldagUnitcommandosintothearea.Thecommandostookuppositionsclosetothenuclearsite.IsraeliAirForceF-15IRa'amfighterjetsarmedwithlaser-guidedbombs,escortedbyF-16ISufafighterjetsandanELINTaircraft,tookofffromHatzerimAirbase.TheELINTaircraftsuccessfullyobscuredtheattackingaircraftfromdetectionbySyrianradars.

CyberTerrorismvsCyberCrimevsCyberwar

STUXNET•  StuxnetisaWindowscomputerwormdiscoveredinJuly2010thattargetsindustrialsoftwareandequipment

•  itisthefirstdiscoveredmalwarethatspiesonandsubvertsindustrialsystems

•  KasperskyLabsconcludedthatthesophisticatedattackcouldonlyhavebeenconducted"withnation-statesupport”

•  StuxnetattackedWindowssystemsusinganunprecedentedfourzero-dayattacks(plustheCPLINKvulnerabilityandavulnerabilityusedbytheConfickerworm)

Stuxnet•  Astonishedbythecomplexityof

theprogramandthequantityofzerodayexploitsusedinthisworm.–  Zerodayexploitsarethose

thathavenoworkaroundorpatch.

•  AnotheruniqueaspectofStuxnetisthatitcontainedcomponentsthatweredigitallysignedwithstolencertificates.

•  arootkitwasfoundfortheprogrammablelogiccontroller(PLC)whichallowsthemanipulationofsensitiveequipment.

•  Expectedtohavebeencreatedbyateamofasmanyas30individuals.–STATESUPPORT

•  indicatesaleveloforganizationandfundingthatprobablyhasnotbeenseenbefore

•  WhatwasStuxnetdesignedtodo?–  Whilethereisnodirectevidence,

thecodesuggeststhatStuxnetlooksforasetupthatisusedinprocessingfacilitiesthathandleuraniumusedinnucleardevices

–  Thustheultimategoalistosabotagethatfacilitybyreprogrammingtocontrollerstooperate

Whatshouldbethestrategytodealwiththesekindsofattacks?

•  ShoulditgoalongthelinesofITsecurity?•  HowaboutDefense-in-depthmechanismsanalogoustoanomalydetection?

•  Whataboutfalse-alarmsinanomalydetection?

•  ShouldthefocusbeonPhysicalsystemsratherthansoftware/networkmodels?

ControlSystemsSecurity

•  Controlsystemsarenotsuitableforpatchingandfrequentupdates

•  WhilecurrenttoolsfromInformationsecuritycangivenecessarymechanismsforsecuringcontrolsystems,thesealonearenotsufficientfordefense-in-depthofcontrolsystems

•  Whenattackersbypassevenbasicdefensestheymaysucceedindamagingthephysicalworld

SecurityFeature ITSystems SCADA

Antivirus and Mobile Code

Very common; deployed and updated easily

By Design not open for software updates.

Patch Management Automated remote patch management possible. However, one needs care from malware perspective

Not designed for it. May impact Performance and also security

Cyber Security Testing & Audit Methods

Standard methods like Metasploit framework can be used

Testing has to be tuned for an online system. May impact plant operation.

Change Management (CM)

Classicalapproachfeasible Strategic scheduling; non trivial process, Impact Analysis is important

Security Issues(1) IT Systems Vs Control Systems (SCADA)

SecurityFeature ITSystems SCADA

IncidenceResponse&Forensics

Wellestablishedprocedure

Difficulttocaptureaseventlogsposeproblemsduetoconstraintslikememoryetc.

PhysicalSecurity Normallypoor Normallyexcellent

Secure System Development

Normal Practice for security sensitive IT applications

Need of the hour for in-house and outsourced development

Security Compliance

Lifetime 2-3 years Lifetime5-20years

Security Issues(2) IT Systems Vs Control Systems (SCADA)

ConsequencesofanAttack

RiskAssessment– WhilestudiesexistoncybersecurityofSCADAthereareveryfewstudiestoidentifyattackstrategyofanadversaryonceitgainsaccess(existingstudiespertaintodatainjectionforpowergrids,electricitymarketsetc.)

– Needtounderstandthreatmodeltodesignappropriatedefensesandtakemeasurestosecurethemostcriticalsensorsandactuators

NewAttackdetectionPatterns

•  DynamicsystemmodelsforspecifyingIntrusiondetectionSystems– Currentstudiespertainfalsedatainjectionattacksincontrolsystems

NewAttackdetectionPatterns

•  DynamicsystemmodelsforspecifyingIntrusiondetectionSystems– Currentstudiespertainfalsedatainjectionattacksincontrolsystems

•  ReplayandStealthAttacks

AttackResilientAlgorithmsandArchitectures

•  Designtowithstandcyberassault

•  Reconfigureandadaptcontrolsystemswhenunderattack

ControlSystemsSecurity:Summary

•  Understandtheconsequencesofattacks– Doathoroughriskanalysis

•  FindAttackpatterns– Designdetections

•  Designnewattack-resilientalgorithmsandarchitectures

•  AutomaticresponsemeasuresMultiDisciplinary:ControlEngineers+CS+DomainofApplication…

ACMSIN2013,Aksaray,Turkey,Plenary

InvitedTalk

RiskManagement

•  Processofshiftingtheoddsinyourfavorbyfindingamongallpossiblealternatives,theonethatminimizestheimpactofuncertainevents

•  ProcessControlSystemsusuallywillhaveanetworkofsensors– Examplesofimpactofattackonsensornetworkontheprocesscontrolsystem

Vulnerabilities Due to Embedded IT Systems

•  NeedtokeepinmindtheeconomicconstraintsonthecostofSCADA(forinstance,insmartgridsitisimportantkeepthecostofthemetersviableforthesociety).

•  Theknowledgeoftheunderlyingsystemsisalmostfreelyavailable.

•  AsanalyzingBigdatahasbecomemanageableprivacyintrusionshavebecomecommonwhichinturnhasledtoseveralsecurityproblems.

SCADA Domain Vulnerabilities •  SCADADesign:–  stability,safetyofplant&env.,+performance– Notdesignedforintruders/attackers–  InthecontextofInternetintruderscaninduceattacksthatwouldnothavebeenconsideredbythedesigner

–  Thus,themajorchallengeforSCADAsecurityliesinarrivingatmethodsofcontroloftheplantthatshallovercomesuchplausibleattacksandmaintainthestabilityandthetrustworthinessofthesystem–thus,makingthesystemrobust.

ACMSIN2013,Aksaray,Turkey,Plenary

InvitedTalk

Approaches for securing SCADA

IntrusionDetection

•  Misusedetection–  Basedonsignaturesofknownattacks

•  Anomalydetection–  Basedonlearningprofilesofnormalbehaviour

•  Coulddetectunknownattacksbutsuffersfromhighfalsealarmrates

•  Specification-basedDetection– Manuallydevelopingspecificationoflegitimatebehaviourandhencehaslessfalsealarmrates

–  Butabilitytodetectnewattacksisalsoless.

ProcessAwareIntrusion

MirageTheoryforDeception-BasedDetection

•  MilitaryDeception(MILDEC):thoseactionsexecutedtodeliberatelymisleadadversarydecisionmakersastofriendlymilitarycapabilities,intentions,andoperations,therebycausingtheadversarytotakespecificactionsorinactionsthatwillcontributetotheaccomplishmentofthefriendlymission.

•  ReliesonDISPLAYs:simulation,disguising,and/orportrayaloffriendlyobjects,units,orcapabilitiesthatmaynotexistbutaremadetoappearso.

•  Eg.(physicalmeans):dummyanddecoyequipmentanddevices,tacticalactions,movementofmilitaryforces,etc.

•  Eg(technicalmeans)includeemissionofchemicalorbiologicalodors,emissionofradiation,reflectionofenergy,computers,etc.,

•  Eg(administrativemeans)techniquestoconveyordenyphysicalevidence.

MirageTheoryApplications:Ideas•  Basis:leverageoftheboundarybetweencontinuousanddiscretespaces,

leverageofhowthepresenceofacontinuousspaceisredirectedonacorrespondingdiscretespace,andsimulationoremulationofphysicalprocessesandphysicalequipment.

•  Acomputernetworkattackprovidesanadversarywithaccessthatmayextendtoawholediscretespace.

•  Nevertheless,duetophysicallimitstherearenofeasiblewaysforanadversarytogainvisibilityoveracontinuousspacethroughacomputernetworkattack.

•  Inotherwords,acomputernetworkattackwon'tenableanadversarytovirtuallymovebeyondtheanalog-to-digitalanddigital-to-analogconversionintegratedcircuits.

•  Consequentlyanadversarycannotverifywhetherinputelectricalsignalsareindeedappliedbyexistingsensingdevices,norcanhe/sheverifywhetheroutputelectricalsignalsindeedreachanexistingactuatingdevice.

Securing SCADA

•  MakethesystemsecurewithrespecttoIT.ThiscouldbedonethroughtheclassicalhardeningapproachesdevelopedforITsecurityalongwithappropriateauthenticationandencryptionasrequired.

•  Ensurethatthesystemalsoworksinthesafezoneasprojectedbythecontrolsystem/plantdesigners.

Monitoring Control Systems •  Mostoftheapproachesmaybeclassifiedunder:–  Developingmodelsfromfirstprinciplesusingthelawsofphysics,

–  Empiricalbehaviorusingsimulationtools,and–  Ahybridoftheabove

•  Whilesafetycriticalsystemsdemandaccuratemodels,itisnotalwaysfeasibleduetotheunderlyingcomplexityandeconomics.

•  Usually,thebehaviouralmodelisconstructedintheindustryusingseveraltoolslikeidentificationpackagesthatenablethedevelopmentofphysicalsystemsusingtrainingdata.

Fault Detection and Diagnosis

Problems•  Generationofresidualsthat

areclosetozerounderno-faultcondition,minimallysensitivetonoisesanddisturbances,andmaximallysensitivetofaults

•  Evaluationofresidualscorrespondstodecisionruleswithrespecttothehandlingofresiduals.

DerivingStatisticsinData•  Assesslevelofsignificance

ofdiscrepancieswithrespecttouncertainties&reflectastowhethertheparameterperturbationissignificantornot.

•  Parameterestimationprovidesuswithrelativesizesofestimationerrorswithrespecttonoisesonthesystemmeasurements.

Solving Detection Problems •  Modelvalidation:Givenareferencepointoftheparameter

andanewdatasample,theproblemistodecidewhetherthenewdataarestillwelldescribedbythisparametervalueornotandcouldbedonebyaslidingwindowoffixedsize.

•  On-lineChangedetection:Givenadatasampleandaninstantt,theproblemistodecidewhethertheparameterhasdeviatedfromthegivenreferencepointandifsoclassifyintotherequiredcategories.

•  Off-lineChangedetection:GivenadatasampleconsistingofNsamples,theproblemistodecidewhetheratsomeinstant,t,thegivenparameterhasdriftedtosomeothervaluethatneedsattention.

SomeToolsused•  InstanceControlCharts:Controlchartsessentiallypresentagraphicdisplayofprocessstabilityorinstabilityovertime.

•  Acontrolchartisastatisticaltool:todistinguishbetweenvariationinaprocessresultingfromcommoncauses&variationduetospecialcauses.

•  Thecontrolchartdifferentiatesbetweentwotypesofvariation:–  SpecialCauseVariation:variationsduetocauseswhicharenotnormallypresent

–  CommonCauseVariation:aretheresultofnumerousever-presentdifferencesintheprocess.

Monitoring and Protecting SCADA

a.  Malwareattacksofthecomputingelements–  tobehandledprimarily

fromtheITdefenseperspective.

b.  Newpossibleattacksontheplantarisingfromthemalwareattackonitscontrolsystem.–  IsitpossibletohandlesothatSCADAwillalwaysbeintheSAFETYZoneandalsobeindicativeofapossibleattack

Networkof

sensors

DistControl

Challenge: New Scenario of Attacks

•  SensorMeasurement:Y(k)={y1(k),...,yp(k)},–  yi(k)denotesmeasuresby

sensoriattimek.–  ∀k,yi(k)∈[ymin,ymax]in

theDOM(Y)•  Eachsensorhasaunique

Cryptoidentitykey•  Zi(k)ssignalsrecd.by

processcontroller(Valindomain–elsegetsdet.).–  Zi(k)=aikifinattackslot

=yikotherwise

•  IntegrityCheck:Ifattackershavecompromisedasensortheycaninjectanyvalueaik–anarbitraryvalueinthedomain•  ReplayandStealthAttacks•  DOSAttack

–  Noticeslackofmeasurements–  Asolutionistousethelast

SCADA Design : Change Detection Basis for Safety

•  Hypothesis:–  Wehavethestatisticsofitsgoodperformancerecordedovertimetoclassifyasnormaloperationandpossibleabnormalbehavior.

–  Notethatitmustbekeptinmindthatthecontrolsystemisacontinuoussystemratherthanadiscreteone.

•  Underabnormaloperations,assume–  plantwillbeoperatedundersafeparameters–  declaringitasanalarmingzoneforfurtheraction.

•  Inotherwords,inthedataofthed-dimensionalspace,withrespecttoareferencepointofoperation,–  wehaveasetofvectorsthatreflectspossiblevariationsthatwouldstillkeepthesysteminastable/safestate;fallingoutsidewouldmeanpossibleunsafeoperation

Question

•  Assumingwehavecapturedthebehaviourofthesystem,isitpossibletodesignacontrolsystemsuchthat:

•  Itfollowsthecontrollawdesignand•  DetectBlackSwanevents–largeimpact,hardtopredict,rareevents–difficulttopredictlyingbeyondtherealmofnormalexpectations,and

•  Guaranteesthatitwillalwaysoperateinasafedomain,soundingalarmwheneveritfindsthebehaviourisnotasexpectedaroundthereferenceanchorpoints

Challenge and Solution

•  Liesinprovidingascalablesolution

•  SolutionBasis:– Reducingtheproblemtoproblemofmonitoringadistributedsetofstreamsthroughqueries

What is the intuition?

Series1

Series2Series3

Category1Category2

Category3Category4

Series1

Series2

Series3

AnomalyDetectingController

Safety of the System •  U(t):plantinputatt&X’(t):outputofplant&X(t):denotethe

samemeasuredthroughthesensorsattimet.•  Now,theinputU(t+1)attimet+1,isdeterminedbythe

controllerwhichfindswhetherthereisanomalyatthispointusingthepossibleperturbationsassumingastableoperationattimet,withinputU(t)throughtheChange-Detect-Estimator(CDE).

•  if{Y1,…,Ym}isthesetofvectorstakingintoaccountthepossibleperturbationscorrespondingtoinputU(t),outputX’(t)asdetectedbythesensors.–  NotethatY1,…,Ymessentiallydenotepossibleperturbationswith

respecttoinputandoutputoftheplantasreflectedinits’behaviour.•  ThenX(t)willbesaidtobesafeifX(t)isintheconvexhullof

{Y1,…,Yn}.

Question

•  Canwecomputeconvexhullinascalablemanner?

•  Yes•  IzchakSharmanandAssafSchuster,AGeometricApproachtoMonitoringThresholdFunctionsoverDistributedStreams,ACMTODS,Vol32,Nov.2007,pp.23:1-23:29.

Geometric Method

Cover of Convex Hull

Monochromatic Region

•  Monochromatic Region: For all x in region, f(x)is on the same side of the threshold (f(x) >τ or f(x) ≤τ )

•  Each site independently checks its sphere is monochromatic –  Find max and min for f()in

local sphere region (may be costly)

•  Send updated value of vi if not monochrome

Restoring monotonicity

Overcoming Replay Attack •  Replayattack:–  Attackerrecordsasequenceofsensormeasurementsandreplaysthesameatalaterpointoftimewhichcouldcausehavoctothesystemlateron.

–  AlsooneoftheattacksusedbyStuxnet.

•  SupposetheattackisatTcorrespondingtovaluesreadatt,T>t

•  ItwillbeallowedonlyifthereferencevectoratTiswithintheknownlimitsofthatatt.

•  Hencesafe

Overcoming Stealth Attacks Safe•  Surgeattack:here,theattackerwantstomaximizethedamageassoonaspossible.

•  Biasattack:Inthiscase,theattackerwantstoattackoveraperiodoftimethroughincrementalperturbations.

•  Geometricattack:heretheadversarywantstodriftslowlyinthebeginningandfinallymaximizethedamage.

•  Falsepositives--Couldbeminimizedbasedonsampling

Conclusions

•  ExtremelyusefulinDetectingBlackSwanEvents•  Scalableandovercomesfalsepositives•  InductiveLearning/MachineLearning

Conclusions

•  Tunableforgeneralizationslike– Sameanalysisofcorrectnessholdswhenspheresareallowedtobeellipsoids– Differentreferencevectorsàtoincreaseradiuswhenclosetothresholdvalues– Combiningtheseobservationsallowsadditionalcostsavings– Moregeneraltheoryof“SafeZones”--Convexsubsetsoftheadmissibleregion

Conclusions •  ApproachinconjunctionwithITsecurityprovidesasafeoperation.

•  AsmostSCADAvendorsdonotdivulgedetailstheapproachispromising.

•  ApplicableforvarietiesofSCADAdeploymentsincludingpowergrids,smartgridsetc.(notethatthedataisquitequiteoftenverysensitive)

•  Experimentalworkinprogress.

The Distinguished Speakers Program is made possible by

For additional information, please visit http://dsp.acm.org/ ACMSIN2013,Aksaray,Turkey,Plenary

InvitedTalk

AboutACM

ACM, the Association for Computing Machinery is the world’s largest educational and scientific computing society, uniting educators, researchers and

professionals to inspire dialogue, share resources and address the field’s challenges.

ACM strengthens the computing profession’s collective voice through strong leadership, promotion of the highest standards, and recognition of technical

excellence.

ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional

networking. ��

With over 100,000 members from over 100 countries, ACM works to advance computing as a science and a profession. www.acm.org

security and protection of scada: a bigdata …...security and protection of scada: a bigdata...

Documents

bigdata notes

bigdata primer

protection of distribution transformer by using scada

substation monitoring, protection and control using...

mobile bigdata

bigdata != integritet

bigdata summit.key

2012 scada protection x assintel nov2012 tieghi scada...

protection et securite des i enjeux des systemes scada

cloud bigdata

bigdata - nosql

analyticsand bigdata

bigdata gameverse

clinicalgenomics,bigdata,and …bigdata,and...

bigdata mapreduce

norman scada protection - all-electronics.de€¦ · erste...

bigdata w praktyce. wstęp do technologii bigdata i nosql

aga 12 - protection of scada communications- part 1...

bio bigdata

aga report no. 12 cryptographic protection of scada