Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University of Hong Kong Cyber-security for industry 4.0 conference 23 June, 2017 1
Will the followings only be seen in movies? Movies: Cyber Hacking (2015); Italian Job (2003) 2
IT IS REAL! (Defcon Hacking conference 2014) 3
2016 (US): 295 reports of ICS attacks (20% ) Mar: New York dam (control system accessed) April: German nuclear power plant (malware) Light-rail system, …. 4
The purpose of the talk is to raise the awareness of the community on the security issues of ICS. 5
Key components of an ICS (Guide to Industrial Control System (ICS) Security, NIST, 2015) 6
Numerous attack points SCADA – a typical ICS (Guide to Industrial Control System (ICS) Security, NIST, 2015) 7
PLC (programmable logic controller) - A small digital computer used for automation of various electro- mechanical process in industries. - “hard” real -time system: output produced in response to input conditions within limited time. - Specially designed to survive in harsh conditions - Programs can be written in a computer and downloaded to PLC via a communication link (e.g. cable) 8
Is PLC critical? In what systems they are used? 9
Yueng Long Sewage Treatment system 10
Ventilation Control and Monitoring System for Tunnel of subway/railway (pictures from MTR report) 11
How easy to hack in PLC? • PLC are NOT secure: PLC has no proper protection built in, no authentication nor encryption for the communication protocol. Able to discover PLC by packet sniffing. 12
Touch panel for floor selection PLC to control the lift
A Touch panel to control the lift
Sensor to detect the current floor
Switch that connects the PLC and Touch Panel
The PLC that controls the Lift system
Attack to the Lift System Q: Some engineers feel that it is not easy to connect to it because it is a “closed” system, do you agree? Hacker Network NO authentication capability Connect to the PLC and control the lift directly 19
Five attacks (4 with demos) 1. DoS attack – 100 MB/s is already enough to disable PLC to receive any valid commands – No advanced hacking knowledge needed. Packet generation program – free from Internet
2. Command injection attack – We connect to PLC directly and generate random commands to PLC – A little bit more knowledge needed: replay attack!
3. Control the lift – Take control of the PLC, attacker can order to lift to whatever level. – Understand the commands from touch panel to PLC.
4. Manipulate the sensor values – Actively modify the sensor values – More knowledge about the sensor variables stored in PLC
5. Time bomb: hack the traffic lights – Build a time bomb to turn both lights for cars and pedestrian green at the same time ONCE A WHILE.
Again, a real case in US (Dec 2015). They examined the traffic light and performed forensic analysis on the PLC …........ 25
Surprisingly ….. Event/log Date/time Program last modified Dec 08 2015 3:05pm Program last compiled Dec 08 2015 5:46pm Program last uploaded (by engineer) Dec 08 2015 5:46pm Program last uploaded (by ????) Dec 26 2015 4:18am Accident Dec 26 2015 pm 26
What we can do (our research directions besides attack) ? - Build a protection layer * Difficulty: low processing power, limited memory/buffer of PLC. - Add-in a forensic module * For detection and investigation. 27
Building a protection layer (i) E.g. firewall …....... (ii) Light-weight detection module inside the PLC. Remark: We also have some interesting methods to do forensics (e.g. how to log the events with limited buffers/power) 28
Acknowledgements Dr. KP Chow, leader of our research group Our talented research students/engineers - Raymond Chan * - Chun Fai Chan, Ken Yau - Han Yu, Bo Zhang, Yuan Zhang Alex Choy, Our partner: PolyU Cisco ** We are more than willing to collaborate with industry for related R&D problems ** <Thank you> 29
Recommend
More recommend