Cyber-Physical Systems Security Alvaro A. Crdenas Department of - PowerPoint PPT Presentation

Cyber-Physical Systems Security Alvaro A. Cárdenas Department of Computer Science University of Texas at Dallas

Modernization of our Physical Infrastructures Physical Systems are Being Modernized with New Technologies Smart Smart Infrastructures Buildings HVAC SCADA Intelligent Transportation Systems Smart Grid Operations Center. Standards: Wireless HART (IEC), ISA SP 100.11a, IETF 6LoWPAN, ROLL, CoRE, Eman, LWIP, IRTF IoT, W3C EIX, IEEE 802.15.4 (g), 802.15.5, etc. 2

Typical Example: Smart Grid Bulk Generation Transmission Distribution Customers Renewable Energy Smart Meter Renewable Batteries Energy Management Systems Smart Meter Large Capacity Renewable Energy Smart Batteries Integration Appliances Non Renewable Plug-in Vehicles

First Success Story of Sensor Networks • SCADA systems: – Improve monitoring – Situational awareness • Cost-effective solution 4

Devices are becoming smarter,

Cyber-Physical Systems • By embedding instrumentation in buildings, vehicles, factories, power grid, we are creating Cyber-Physical Systems (CPS): – Smart sensing + actuation – CPS systems are IT systems that interact with the physical world Physical System Actuators Sensors RTUs Data Processing State Estimation Control 6

Cyber-physical systems • Control • Computation • Communication • Interdisciplinary Research! 7

Why is Security Important Now? New Vulnerabilities & Threats • Controllers are computers (from Relays to MCUs) – Can be programmed to do anything! • Networked – Sensors and actuators can be accessed remotely • Commodity IT solutions – Well known generic vulnerabilities are widely available – Some technologies are even insecure by design! • New functionalities – New vulnerabilities (e.g. privacy problems with fine-grained monitoring) • More devices (IoT) – Easier to find a vulnerable device • Highly skilled IT global workforce – Creating exploits (and using them) is now easier than ever! 8

Vulnerabilities can be Exploited 2000 Maroochy Shire sewage control system. 2011 HVAC 2012 Smart Meters 9

A German steel factory suffered massive damage after hackers managed to access production networks, allowing them to tamper with the controls of a blast furnace, the government said in its annual IT security report. Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant,” the BSI said, describing the technical skills of the attacker as “very advanced.” 10

Stuxnet • First PLC trojan • Stolen certificates • False commands to centrifuges • False commands to supervisory network • Uranium enrichment in Natanz plant in Iran Infection Mechanism 11

Intrusion Detection for IoT Example 1: Visual Challenges verify that My Research: video feed hasn’t been modified Intrusion Detection Systems (IDS) in IoT by monitoring the “physics” of cyber-physical 3 ! video feed ! If image systems captured by visual ! challenge ! camera does Sponsors: pzVnU6GVJoJ7YVXQtt8QXYNvmSvIUEqs ! 4 ! 2 ! 1 ! not show our Verifier ! challenge we detect an attack Second Place: ACM student research competition GHC 2015 Example 2: IDS for SCADA systems Example 3: IDS for AMI Meters Collector Deployment in two water treatment facilities 1 Water level (m) Attack PLC PLC Real water level 0.5 Sensor measure secondary primary Substation 0 L0 Network 100 200 300 400 500 600 700 Remote IO Attacker 0.4 Residuals RIO 0.3 Sensor Alarm Alarm 0.2 Best Paper Award IEEE Smart Grid 42.42 0.1 13 Actuators Sensors 0 Communications Conference 2014 100 200 300 400 500 600 700 Time (sec)

Network Intrusion Detection

Deep-Packet Inspection for Industrial Control Protocols Scapy parser for Modbus 15

Large Variety of Industrial Control Protocols- Few Parsers, Semantic Info, Closed • Modbus/TCP • DNP3 • BACnet • EtherNet/IP • EtherCAT • WirelessHART • Profinet • S7 • ISA 100 SCADA Historian HMI HMI HMI Switch L1 Network ... Process 1 Process 2 Process n PLC PLC PLC PLC PLC PLC PLC1a PLC1b PLC2a PLC2b PLCna PLCnb L0 Network L0 Network L0 Network Remote IO Remote IO Remote IO ... RIO RIO RIO Sensor Sensor Sensor 42.42 42.42 42.42 16 Actuators Sensors Actuators Sensors Actuators Sensors

We Need to Monitor Field Networks It is easier to deploy monitors in the Supervisory Network: -highly structured info (easier to understand) -mirror ports BUT Compromised PLC can send malicious data to the field and report that everything is normal to supervisory network Supervisory Network Control SCADA Historian HMI HMI HMI Switch Raw Water Pre-treatment Ultra Filtration PLC PLC PLC PLC PLC PLC Network PLC1 PLC2 PLC3 Comms. Field Level Sensor Level Sensor inFlow HCl pump Valve Sensor Sensor 42.42 42.42 Sensor 42.42 Pump pH Sensor Pump Sensor 42.42 17

Developing Monitors at the Field Level (SWaT Testbed in SUTD) SCADA Historian HMI HMI HMI Switch L1 Network ... Process 2 Process n Process 1 PLC PLC PLC PLC PLC PLC PLC1a PLC2a PLCna PLC1b PLC2b PLCnb L0 Network L0 Network L0 Network Remote IO Remote IO Remote IO ... RIO RIO RIO Sensor Sensor Sensor 42.42 42.42 42.42 Actuators Sensors Actuators Sensors Actuators Sensors D. Urbina, J. Giraldo, N. Tippenhauer, and A. Cardenas. Attacking Fieldbus Communications in ICS: Applications to the SWaT Testbed. Proceedings of Singapore Cyber Security Conference (SG-CRC), 2016. 18

We Need to Monitor the Physics of The System • Protocol specification/patterns correct but false info • Physical systems follow immutable laws of nature • Fluid dynamics (water systems) or Electrodynamics (power grid) used to create time-series models • These models can be used to check • If control commands were executed correctly • Sensor values are consistent with expected behavior 19

LDS Model for Raw Water Tank dV i dh i dt = A i dt = Q i,in − Q i,out h k +1 = h k + Q i,k − Q o,k A 20

Implementing the Attack and the Defense PLC PLC PLC secondary primary Detection h a u nom i ( k ) ( k ) i L0 Network Attacker Remote IO Attacker RIO u a h i ( k ) i ( k ) Sensor 42.42 RIO Actuators Sensors Actuators Sensors 21

Problem: We Can Always Create Attacks That Are Detected 22

Undetected Attacks to Water Testbed 23