Professional Documents
Culture Documents
System Security
INSE 6640 – Hacking the Smart Grid (Part 2)
(Lecture 4)
2
Recap (1/2)
3
Recap (2/2)
4
Identify a Target
5
Identifying a target (1/2)
6
Identifying a target (2/2)
• WAN communications: If one of the potential targets is connected to
internet then the target identification can be easier for the attacker
• Every major cyber security standard or guidance documents recommends that
systems are never directly connected to a public network
• Private or leased WAN are uncommon
• Virtual Private Networks (VPN) over shared/public WANs are often employed
• VPN provides appropriate transport layer security and access controls
• ICS devices: In Industrial Control System (ICS) there are several potential
targets.
• ICS devices are relatively easy to find and to hack
• ICS components, in many industries, continue to be insufficiently protected from
Internet access.
7
Example
• A SCADA server, Phasor Data Concentrator (PDC), a Recloser may be
connected to an industrial Ethernet switch, segmented behind a router and
protected by a Firewall and Industrial Intrusion Prevention Systems (IPS).
• Nevertheless, some components to works also need long-range or even
global wide area network connectivity
• E.g. PMU uses: C37.118 protocol, GPS-based network time protocols, satellite, radio,
mesh wireless, and others
• Some devices allow remote control (access servers) to allow technicians to
obtain remote access to substations or field devices
• Pro: remote control is easier/more convenient than sending technicians into the field
• Cons: An attacker can gain root or admin access remotely
8
NISTIR 7628: primary and secondary targets
(not a complete list)
9
NISTIR 7628: primary and secondary targets
(not a complete list)
10
NISTIR 7628: primary and secondary targets
(not a complete list)
11
Scanning Transmission and Distribution
Infrastructure
12
Scanning T&D (1/2)
• Depending of the nature of the target, to scan a Smart Grid it is
possible to use
• Standard scanning and enumeration techniques (with minor variations)
• Scanning and enumeration techniques that are specific to SCADA and
industrial controls systems
• Example: T-SCADA and gateway servers are built with standard
components and standard Windows OS
• They can be identified using Network Mapper (Nmap) tools (see next Slide)
• Enumerated via a vulnerability scan
• Exploited using “exploits”, e.g. Metasploit framework
13
Scanning Techniques
• A famous general-purpose tool is NMAP
• It can discover all endpoints on a TCP/IP network (network devices and host) using ping
sweep (pings over an IP range)
• It also uses additional capabilities of the Internet Control Message Protocol (ICMP) to
discover:
• Network masks (information about subnets)
• Open TCP and UPD ports (to identify operating services usually running on specific ports)
• In industrial network, network scanning works in a similar way
• We can understand if a subsystem is a SCADA or a process control device by looking for
common ports:
• E.g. port 20000 is used by DNP3; 102 by IEC 61850 messaging; 502 is Modbus
• If port 2222 or 44818 is detected then the system is using the Common Industrial Protocol over
EthernNet/IP
• Data on port 102 can be assumed to be substation automation controls or messaging
• Port 4713 can be assumed to be a PMU measurement
14
Scanning Techniques (2/2)
• Scanning on the industrial networks is possible because most of the used
protocol are based on a client-server messaging model
• Requests and acknowledges are sent between devices
• Information about clients are also transmitted:
• Operating state
• Value within their registers
• E.g. A DNP3 sweep request can be performed in the same way of a ping
sweep
• The request solicits responses from active clients, identifying all of the DNP3 client within the
system
• Example: Stuxnet
1. the stuxnet payload established itself into the Siemens PCS7 system (the SCADA)
2. Stuxnet enumerated the Profibus devices remotely via S7 communications driver
3. Malicious code was written to the PLC once the specific target device was identified
15
Enumeration: Automation Systems
• Substation automation systems are often exploited to enumerate a target
• Industrial protocols allow detailed knowledge about the connected devices, including
vendor, object identifier, services and so on.
• If vendor and ID are available, then
• The exact device can be searched
• Device functions are often online documented
• Some ICS devices may have known vulnerabilities (online documented)
• Note that documentations of protocols are also available because most of
them are open protocols
• Sometimes vendors try to use custom protocols (e.g. Siemens S7 protocol)
to introduce a greater degree of obscurity
• In this case, enumeration is harder, but this is not the solution to the problem
16
Vulnerabilities
17
Vulnerabilities
• SCADA systems and industrial protocols are everywhere in the Smart
Grid:
• Transmission management system
• Distribution management system
• Substation automation
• Energy management systems
• Etc...
19
Device specific vulnerabilities
• Example: In 2012 Project Basecamp (Digital Bond and a team of volunteer researchers)
has highlighted and demonstrated the fragility and insecurity of most SCADA and field
devices such as PLCs and RTUs.
• Project Basecamp discovered several device-specific vulnerabilities such as the
following
• They have also published exploits that can be used to target specific Smart Grid
devices
• Many freely available Metasploit modules, dedicated scanning tools are available for
security assessment. They also provide powerful tools to attackers
20
Leveraging known vulnerabilities
• Stuxnet exploited a zero-day vulnerability (it wasn’t known at that time) to
ensure successful delivery and execution of a malicious payload
• Beside stuxnet, other attacks exploiting ICS vulnerabilities have been
reported. Here is a lit of affected brands (2012 list):
• 3S, 7 Technologies, ABB, Advantech, AGG, Arbiter, ARC Informatique, AREVA, Atvise,
Automated Solutions, AzeoTech, Beckhoff, Broadwin, Certec, Cisco, Cogent, COPA-
DATA, Control Microsystems, Ecava, Emerson, Fultek, GarrettCom, General Electric,
Honeywell, Intellicom, Iconics, Inductive Automation, InduSoft, Innominate, Invensys,
IOServer, IRAI, Kessler-Ellis, Korenix, Koyo, Measuresoft, Microsys, Moxa, Ocean Data
Systems, Open Automation Software, Optima, ORing, OSIsoft, PcVue, Pro-face,
Progea, Real-Flex, Rockwell Automation, RuggedCom, SafeNet, Samsung, ScadaTEC,
Schneider Electric, Schweitzer, Sielco Sistemi, Siemens, Sinapai, SpecView, Sunway,
Technomatix, Tridium, Unitronics, VxWorks, Wago, WellinTech, Wonderware, and
xArrow.
• Many vulnerabilities have been exploited either in a proof of concept
environment or through the development of actual exploit code
21
Industrial Protocols vulnerabilities (1/2)
22
Industrial Protocols vulnerabilities (2/2)
• Fixing vulnerabilities for a protocol (e.g. Modbus) would require a
coordinated multi-vendor industry effort.
• Some organization tried to secure protocols:
• OPC UA, OPC XI (secure implementation of OPC). OPC specifies the
communication of real-time plant data between control devices from
different manufacturers)
• IEC 62351 (we have already seen it!)
However, they faced the challenge of adoption!
• In the grid, there are a lot of legacy devices using legacy protocols
23
Inherent vulnerabilities in industrial protocols
• As mentioned, many industrial protocols are vulnerable by design:
• They provide command and controls
• They lack any compensating measures (encryption or authentication)
• Project Basecamp discovered many vulnerabilities in the PLC’s but what is
worst is the “insecure by design” issues
• Several attack methods were disclosed for:
• Forcing a system to stop: By sending a Common Industrial Protocol (CIP) command to
the device, this attack effectively shuts off the CIP service and renders the device
dead
• Crashing the CPU: A malformed CIP request crashed the CPU
• Reset device: This is a simple misuse of the CIP system reset function
• Crash device: The attacker crashed the target device due to a vulnerability in the
device’s CIP stack.
• Flash update: CIP support writing data to remote devices. This attack misuses this
capability to write new firmware to the target device
24
Attack Tools
25
General Tools
• Many tools are available to test and resolve specific vulnerabilities or
to perform in-depth security assessment tests. Same tools can be
used by a malicious agents
• General Tools:
• Tools for vulnerability and exploitability of digital information systems: e.g.
Nmap, Nessus, Nexpose, OpenVAS
• Tools for penetration testing: e.g. metasploit, immunity’s Canvas framework,
Gled Ltd, Agora SCADA+ Pack for Canvas
• Metasploit: Tools for scanning and enumerating the system used by Transmission,
Generation and Distribution SCADA
• Immunity’s Canvas framework: it includes SCADA exploits
26
Specific Tools: e.g. Smart Meter Tools
• Tools to hack smart meters through optical interfaces
• Famous tools: Termineter, OptiGuard
• Termineter: open source
• OptiGuard: used in the industry to deploy more secure metering in Today's Smart Grid
• Both tools exploit the protocols C12.18 and C12.19 used for the optical diagnostics
interfaces on most smart meters
• Once a meter is accessed, almost any parameter can be read (clear privacy
issue)
• Meter identity, Manufacturer, Operation Mode, Configuration and Status, a variety of
configuration and procedure commands, Measurement and Measurement Parameters
• This tools require to be very close to the smart meter
• It cannot be used for large scale Cyber-Attacks (even if long range transmitter and
receiver are available)
27
Attack Methods
28
Attack Execution
• Once a smart grid target has been selected, how the attack is executed?
• It depends on the vulnerability; It could be straightforward, or it may require some
other steps
• If the attack involves critical systems like the substation gateway, then
secondary attacks can be launched against other portions of the Grid
• In some cases, the information gathered can be used to launch blended
cyber and physical attacks
• E.g. Accessing to the AMI, an attacker can target a house and determine if someone
is at home or not. If no one is in the house, then he/she can decide to break into the
house
• By remotely disconnecting a meter an attacker can bypass home security systems
29
Typical Attacks
30
Man-in-the-middle (MITM) attack
• MITM attack is an attack where the attacker inserts himself between
communicating devices and snoops the traffic between them
• To perform a MITM attack, the attacker must be able to intercept traffic
between the two target systems and inject new traffic
• Easy if connection lacks encryption and authentication mechanisms (this is typical in
industrial protocol traffic!!)
• Harder if encryption and authentication is used:
• Attacker need to listen for key exchanges and pass his key in place of the legitimate one
• The difficulty for the attacker is to make the other two entities to trust that he/she is the
intended recipient
• How hard is to perform MIMT attack depends on how strong are the certificates
• Often self-signed certificates are used (very weak!!)
31
Replay Attacks (1/2)
32
Replay Attacks (2/2)
• Replay attacks are useful in virtue of the command and control
nature of the industrial process control systems
• Commands exist to enable and disable security, alarms, firmware and logic
update
• A replay attack can drop malicious logic/malware or manipulate
variables/measurements
• If the goal is to sabotage a system, almost anything can be used to
disrupt operations:
• E.g. a simple replay attack to trigger a relay switch is enough to break most
processes
33
Popping the HMI
• One of the easiest way to obtain unauthorized command and control
of a SCADA system is through the human-machine interface (HMI)
• Device vulnerabilities can be exploited to install remote access to the
console
• With full access to the HMI there is no need of understand industrial
protocols or control system operations
• The HMI user interface can be directly used
34
Blended Attacks (1/4)
35
Blended Attacks (2/4)
• Example of persistent, multi-stage attack against smart grid
1. A vendor technician downloads a firmware patch for a field device, but it is
receiving a counterfeit patch containing a malware
2. The technician arrives on site, passes background checks. His laptop passes
a virus scan (since it is a zero day the malware is not detected)
3. The patch drop a small payload into the project files of a substation
automation controller infecting the remote terminal unit (RTU) and field
device through the distribution system (exploiting the industrial protocols)
4. At this stage, gateway, field devices and other system are infected.
Depending upon which environment the virus resides in, new modules
become active and unused code is removed to avoid detection
5. The damage can be done
a) Reconnaissance, theft of private information, coordinated attack designed to
manipulate whole areas of the grid (all done hiding the actions from both human
operators and management applications)
36
Blended Attacks (3/4)
37
Blended Attacks (4/4)
38
Attacks against the Phasor Measurement Unit
(1/2)
• Phasor measurement units have been introduced to have a better
understanding of power network status
• Therefore, the main scope is to prevent outages
39
Attacks against the Phasor Measurement Unit
(2/2)
40
Conclusions
41
Smart Grids and Control
System Security
INSE 6640 – Privacy Concern with the Smart Grid (Part 1)
(Lecture 4)
Lecture
Outline
Privacy risks associated with
the Smart Grid
43
Privacy Concerns in Smart Grid
• The privacy concerns are mainly related to the collection and use of
energy consumption data gathered from homes
• Consumer-specific energy usage data have enormous potential to
enable utilities or other third-party service providers to help
consumers significantly reduce energy consumption.
• Data can disclose detailed information about the behavior and
activities of a particular household.
• Controls need to be implemented for ensuring the data is
collected, used and shared in line with privacy expectations.
44
Privacy Concerns
• One of the biggest issues that needs to be resolved is the way third
parties should be allowed access to consumer energy usage data
• Consumers need to have access to their usage data and should be
allowed to make informed choices about allowing third-party access
to their information
45
Personal Data
46
Personal Data
• What does it mean “personal data”? (multiple definitions exists)
• Can a person be identified from the data, or from the data and other
information that can be potentially collected by a data controller?
47
Smart Grid and Privacy Risks
48
Smart Grid and Privacy Risks
• Recap of some Smart Grid advantages:
• The consumer can login into his energy account and view how much energy he is
using based upon information reported from their smart meter.
• Smart devices can adjust energy consumption based upon user preferences, and the
price of energy (e.g. utilize off-peak price).
• The consumer can receive alerts when grid outages happen via the preferred the
communication channel.
• The grid operator can accurately identify the source of disruption, thus allowing for
rerouting, and subsequently minimizing the time and impact of disruption.
49
Smart Meters and Privacy Risks
• Drawback: the price to pay for those advantages is the use of data and
personal data
• In all the Smart Grid architecture, a lot of information are generated but
the center of the privacy concerns are the Smart Meters
• Smart Meters: one of the objectives of the smart meters is to collect the
energy consumption of consumers
50
Smart Meters and Privacy Risks
• Does really matter if anybody knows how much energy are you
consuming?
51
Smart Meters and Privacy Risks
• Does really matter if anybody knows how much energy are you
consuming?
52
Smart Meters and Privacy Risks
• Third parties can achieve a level of granularity that goes beyond
simply on or off
• E.g. They may be able to estimate the number of individuals at a given
property
54
Privacy Protection and Third Part Analytics (1/2)
• It is expected that the data will not be about the individual and
therefore not covered under the security of data protection
legislation!
• What is likely to be sold (by the operator) to authorized third parties
should be anonymized.
• We make a very big assumption that a simple obfuscation of personal
data fields is of sufficient quality.
• The challenge we face today with the release of very large volumes of
data is the issue of inference. This refers to the ability to derive data
that may be sanitized from the collection of multiple data sources.
55
Privacy Protection and Third Part Analytics (2/2)
• The field of analytics for the Smart Grid is anticipated to grow
enormously
• In principle we cannot say that this is bad or not. It depends on who
has the information and how the information will be used!
• Good use: Customer can get recommendations on energy consumption that
could save money
• Bad use: plethora of electronics manufacturers inundating consumers with
details of their latest products with detailed prior knowledge about the
devices and their consumption within the home, without prior consent.
• Operators get financial benefits by selling data to third parties
56
Thank you!
57