man in the middle attacks on iec 60870 5 104
play

Man in the middle attacks on IEC 60870-5-104 Pete Maynard - PowerPoint PPT Presentation

Dec 12, 2023 •238 likes •584 views

Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530 Introduction Pete Maynard PhD Student CSIT Queen's University Belfast, UK Industrial Control System Security Partnership with

  1. Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530

  2. Introduction ● Pete Maynard ● PhD Student ● CSIT Queen's University Belfast, UK ● Industrial Control System Security ● Partnership with PRECYSE 2

  3. What I do ● Attacks on SCADA protocols – Replay, MITM, DoS ● Develop detection and prevention methods ● Anomaly detection via machine learning 3

  4. PRECYSE ● European FP7 Project ● Prevention, protection and REaction to CYber attackS to critical infrastructurEs ● LINZ STROM GmbH (Electrical Distribution Operator) 4

  5. Talk Overview ● What's SCADA Used for ● SCADA Threats ● Introduction IEC 104 ● Attacking IEC 104 5

  6. What's SCADA Used for? 6

  7. How is SCADA used [1] ● MODBUS, DNP3, IEC104, 61850, Profibus … 7 [1] S. Mohagheghi, J. Stoupis, and Z. Wang. Communication protocols and networks for power systems-current status and future trends. In Power Systems Conference and Exposition, 2009. PSCE ’09. IEEE/PES, pages 1–9, March 2009.

  8. What does it do? ● Telemetry control ● Change Settings ● Read/Write/Delete files and directories ● Update firmware 8

  9. SCADA Threats 9

  10. Attack Levels Level Example 1 Accident Misconfigured, Firmware Update 2 Novice Script kiddie, port scanning 3 Experienced Replay attack, basic knowledge 4 Advanced Stuxnet, ICS domain knowledge 10

  11. Threats ● Havex Malware ● OPC to scan for SCADA devices ● Reports back to command and control server ● Recently detected July 2014 – European ICS – Team Since 2011 ● State sponsored? 11

  12. Scanning for SCADA devices ● Readily available scanners – SCADA StrangeLove [1] ● Simple Python Script ● Return Device name, IP, software version 12 [1] https://github.com/atimorin/scada-tools

  13. SCADA Fuzzers ● Protocol Fuzzers ● Project Robus [1] – DNP3 – Identified many vulnerabilities ● Fuzzing can kill 13 [1] http://www.automatak.com/robus/

  14. Protocol Analysers 14

  15. Introduction IEC 104 15

  16. Introduction IEC 60870-5-104 ● International Electrotechnical Commission (IEC) ● IEC 60870 developed periodically between the years 1988 and 2000 ● 6 Main Parts and four companion sections ● Open Standard ● 60870-5-104 defines transmission over TCP/IP 16

  17. IEC 60870-5-104 Security Issues ● Ported from serial links to TCP/IP ● No authentication ● No encryption ● Uses IP address white-list – Defined on the slave ● TLS encryption recommended – In practice not implemented 17

  18. 104 Payload ASDU 18

  19. Attacking IEC 104 19

  20. Capturing Packets ● SPAN Port ● DNS Poisoning ● Content Addressable Memory (CAM) table overflow ● ARP Spoofing 20

  21. Replay Attack ● Novice level attack ● Capture and replay packets – Command, readings, alerts... ● Replayed packets dropped by kernel ● Tcpreplay alternatives to modify SEQ values 21

  22. Man In the Middle Attack ● Intercept communications between two or more devices ● Modify and inject packets ● Many tools available – ettercap – cain and abel – DSniff 22

  23. 104 MITM Lab Experiment ● Modify Cause of transmission (CoT) field ● Intercept and set an invalid CoT value ● Detection with SNORT 23

  24. Cause of Transmission CoT values can use the following number ranges: ● 1-13 and 20-41 – 14-19 and 42-43 are reserved for future use. – 24

  25. Before and After Capture Before 25 After

  26. SNORT Alert Rule alert tcp $104_CLIENT any -> $104_SERVER $104_PORTS (flow: established; content:"|68|"; offset:0; depth:1; pcre:"/[\S\s]{5}(\x2D|\x2E|\x2F|\x30|\x64|\x65)/iAR"; content:!"|06|"; offset: 8; depth: 1; msg:"17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field"; classtype:bad-unknown; sid:6666617; rev:1; priority:2;) Alert [**] [1:6666617:1] 17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/09-14:06:10.462288 10.50.50.105:40734 -> 10.50.50.75:22 TCP TTL:64 TOS:0x0 ID:60033 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9A0C38A1 Ack: 0x0 Win: 0x3908 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1382076960 0 NOP WS: 7 26

  27. Earth Fault ● Real world situation where an earth fault in the physical electrical grid occurs 27

  28. Linz Test-bed 28

  29. Operator View 29

  30. 104 MIM TestBed Environment ● Intercept value, so operators unable to view fault ● 104's Information Objects, M_SP_TB_1 stores the 'ON/OFF' value ● First bit of the SIQ is the SPI field, storing the ON/OFF value. 30

  31. ON/OFF Value Modification Before After 31

  32. Conclusion ● Attackers with varying skill levels can compromise SCADA systems – Man-In-The-Middle attacks hiding an earth fault ● New implementations of ICS need to take precautions ● Monitor logs, network, everything ● Enable attack mitigations 32

  33. Future Work ● Identify features of the IEC104 protocol for anomaly detection ● Propose to develop an Anomaly Detection module for the IEC104 protocol – Detect similar network attacks ● Work on MITM attack for IEC 61850 33

  34. Questions 34

Recommend

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software Jeffrey Knockel, Jedidiah Crandall Computer Science Department University of New Mexico Recent News Iran: forged SSL

569 views • 27 slides
An Anomaly Detection Mechanism for IEC 60870-5-104 Panagioti s Sari gianni dis Uni versi

An Anomaly Detection Mechanism for IEC 60870-5-104 Panagioti s Sari gianni dis Uni versi

1 An Anomaly Detection Mechanism for IEC 60870-5-104 Panagioti s Sari gianni dis Uni versi ty o f Western Mac edoni a psari gianni di s@uowm.gr Auth thors 2 Under the H2020 SPEAR Project Antonios Sarigiannidis, Panagiotis Radoglou

254 views • 21 slides
Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects

Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects

Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects clients from compromised certificates Without revocation, these attacks would go undetected 2 Certificate Revocation Lists (CRLs) Lists of

544 views • 27 slides
Attacking IEC-60870-5-104 SCADA Systems P. Radoglou-Grammatikis, P. . Sari Sarigiannid idis*,

Attacking IEC-60870-5-104 SCADA Systems P. Radoglou-Grammatikis, P. . Sari Sarigiannid idis*,

Attacking IEC-60870-5-104 SCADA Systems P. Radoglou-Grammatikis, P. . Sari Sarigiannid idis*, I. Giannoulakis, E. Kafetzakis and E. Panaousis University of Western Macedonia, Eight Bells Ltd, University of Surrey The 1st IEEE Services Workshop

435 views • 18 slides
Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle attack Diffie-Hellman Alice Bob new na new nb g na g nb K = (g nb ) na K = (g na ) nb Man-in-the-middle attack Diffie-Hellman Alice Bob Alice

401 views • 25 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Certificate Measurements to Detect Man-in-the-Middle Attacks and Middleboxes Mark ONeill,

Certificate Measurements to Detect Man-in-the-Middle Attacks and Middleboxes Mark ONeill,

Certificate Measurements to Detect Man-in-the-Middle Attacks and Middleboxes Mark ONeill, Scott Ruoti, Kent Seamons, Daniel Zappala Internet Research Lab & Internet Security Research Lab Brigham Young University Certificate validation

484 views • 14 slides
Heart Attacks in Middle-aged Recreational Athletes Karl Cernovitch Alex C. Samak Jay Brophy

Heart Attacks in Middle-aged Recreational Athletes Karl Cernovitch Alex C. Samak Jay Brophy

Heart Attacks in Middle-aged Recreational Athletes Karl Cernovitch Alex C. Samak Jay Brophy MD,PhD Mark Goldberg PhD Royal Victoria Hospital Clinical Epidemiology Unit If it happened to a Pro, it could happen to you! Montreal

963 views • 21 slides
Man in the Middle Attacks Engineering Secure Software Last Revised: September 1, 2020 SWEN-331:

Man in the Middle Attacks Engineering Secure Software Last Revised: September 1, 2020 SWEN-331:

Man in the Middle Attacks Engineering Secure Software Last Revised: September 1, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 High Level View Allows the hacker to sit in between all communication between client and

398 views • 15 slides
in Middle Tennessee Prevent Asthma Attacks in Children Gwen Sunkel, Indiana University-Purdue

in Middle Tennessee Prevent Asthma Attacks in Children Gwen Sunkel, Indiana University-Purdue

Breathe Easy: Helping Parents in Middle Tennessee Prevent Asthma Attacks in Children Gwen Sunkel, Indiana University-Purdue University Indianapolis United Neighborhood Health Services Nashville, TN Introduction Gwen en Sun unkel, , RN

570 views • 15 slides
MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation

MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation

Software and Web Security 2 MitM attacks on HTTPS sessions Much of this material can also be seen in DEFCON 2009 presentation by Moxie Marlinspike; see URL on course page sws2 1 MitM (Man-in-the-Middle) attacks MitM attack: attacker

971 views • 38 slides
Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France

Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France

Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014 Plan 1 Match Box Meet-in-the-Middle Attacks Sieve-in-the-Middle Framework Match Box Cryptanalysis of KATAN 2 Description

1.61k views • 37 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
The middle program $ middle 3 3 5 middle: 3 $ middle 2 1 3 middle: 1 10 10 int main(int

The middle program $ middle 3 3 5 middle: 3 $ middle 2 1 3 middle: 1 10 10 int main(int

Detecting Anomalies Andreas Zeller 1 Tracing Infections For every infection, we must find the earlier infection that causes it. Which origin should we focus upon? 2 2 Tracing Infections 3 3 Focusing on Anomalies

522 views • 27 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Welcome to Randolph Middle School An IB World School Randolph Middle School

Welcome to Randolph Middle School An IB World School Randolph Middle School

Welcome to Randolph Middle School An IB World School Randolph Middle School Charlotte-Mecklenburg Schools International Baccalaureate Middle Years Program Grades 6 8 Brian Bambauer, Principal Fast Facts RMS was built in1967

673 views • 40 slides
WELCOME TO LASALLE SPRINGS MIDDLE SCHOOL! Which one are you? MIDDLE SCHOOL MODEL Image taken

WELCOME TO LASALLE SPRINGS MIDDLE SCHOOL! Which one are you? MIDDLE SCHOOL MODEL Image taken

WELCOME TO LASALLE SPRINGS MIDDLE SCHOOL! Which one are you? MIDDLE SCHOOL MODEL Image taken from Noblesville East Middle School MIDDLE SCHOOL TEAMS 6 TH GRADE LEVEL TEAMS Searchers Seekers TEACHER MAKE-UP 2 Language Arts 1 Social

546 views • 42 slides
Revere Middle School Welcome to Middle School! A major goal of middle school is to help students

Revere Middle School Welcome to Middle School! A major goal of middle school is to help students

Revere Middle School Welcome to Middle School! A major goal of middle school is to help students learn how they can be successful learners and creative problem solvers. We strive to help students find the balance of challenging themselves

439 views • 18 slides
Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schrmann, Fabian

Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schrmann, Fabian

Institute of Operating Systems and Computer Networks Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schrmann, Fabian Kabus, Gregor Hildermeier, Lars Wolf, 2017-07-18 Introduction Man-in-the-Middle ZRTP

396 views • 24 slides
Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise Solution on whiteboard.

Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise Solution on whiteboard.

Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise Solution on whiteboard. 2 / 17 Recap of MitM attack Whiteboard 3 / 17 Searching for attacks By hand - Last week(s) Using the computer - This week 4 / 17

689 views • 23 slides
CONSERVATION CONSERVATION EASEMENTS: Fiscal Impacts to Localities in the Middle Peninsula Middle

CONSERVATION CONSERVATION EASEMENTS: Fiscal Impacts to Localities in the Middle Peninsula Middle

CONSERVATION CONSERVATION EASEMENTS: Fiscal Impacts to Localities in the Middle Peninsula Middle Peninsula Jackie Rickards Middle Peninsula Planning District Commission July 13, 2011 1 Location of the Middle Peninsula Peninsula Middle

412 views • 37 slides
MIDDLE SCHOOL COURSE INFORMATION NIGHT 2017 MIDDLE SCHOOL TEAM Head of Middle School and

MIDDLE SCHOOL COURSE INFORMATION NIGHT 2017 MIDDLE SCHOOL TEAM Head of Middle School and

MIDDLE SCHOOL COURSE INFORMATION NIGHT 2017 MIDDLE SCHOOL TEAM Head of Middle School and Head of Year 10: Liz Nevins Head of Year 9 Daniel Toma Middle School Coordinators Dianna Moore, Tyler Phillips, John Box, Michael

513 views • 33 slides

More recommend