specification based ids for the dnp3 protocol
play

SPECIFICATION-BASED IDS FOR THE DNP3 PROTOCOL NOVEMBER, 12TH, 2014 - PowerPoint PPT Presentation

Jan 25, 2023 •426 likes •746 views

ANNUAL INDUSTRY WORKSHOP NOVEMBER 12-13, 2014 SPECIFICATION-BASED IDS FOR THE DNP3 PROTOCOL NOVEMBER, 12TH, 2014 HUI LIN UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1

  1. ANNUAL INDUSTRY WORKSHOP NOVEMBER 12-13, 2014 SPECIFICATION-BASED IDS FOR THE DNP3 PROTOCOL NOVEMBER, 12TH, 2014 HUI LIN UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1 UNIVERSITY OF ILLINOIS | DARTMOUTH COLLEGE | UC DAVIS | WASHINGTON STATE UNIVERSITY FUNDING SUPPORTPROVIDED BY DOE-OE AND DHS S&T

  2. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state 2

  3. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state • Control-related attack : a sophisticated attacker can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states 3

  4. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state • Control-related attacks : a sophisticated attacker can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states 4

  5. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state • Control-related attacks : a sophisticated attacker can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states 5

  6. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state • Control-related attacks : a sophisticated attacker can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states 6

  7. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G PROBLEM DEFINITION • Threat model : control commands , if maliciously crafted, can directly change system’s physical state • Control-related attacks : a sophisticated attacker can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states 𝑕 − 𝑄 𝑗 𝑚 = 𝑙 𝑊 𝑄 𝑗 𝑊 𝑙 (𝐻 𝑗𝑙 cos 𝜄 𝑗 − 𝜄 𝑙 + 𝐶 𝑗𝑙 sin(𝜄 𝑗 − 𝜄 𝑙 )) 𝑗 𝑕 − 𝑅 𝑗 𝑚 = 𝑙 𝑊 𝑅 𝑗 𝑗 𝑊 𝑙 (𝐻 𝑗𝑙 sin 𝜄 𝑗 − 𝜄 𝑙 − 𝐶 𝑗𝑙 cos(𝜄 𝑗 − 𝜄 𝑙 )) 7

  8. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G WHY DETECTION IS A CHALLENGE? • Hard to detect based solely on power systems’ electrical states – Traditional contingency analysis considers low-order incidents, i.e., the “ N-1 ” contingency – Traditional state estimation is performed periodically, detecting attacks after physical damage – Measurements may be compromised 8

  9. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G WHY DETECTION IS A CHALLENGE? • Hard to detect based solely on power systems’ electrical states – Traditional contingency analysis considers low-order incidents, i.e., the “ N-1 ” contingency – Traditional state estimation is performed periodically, detecting attacks after physical damage – Measurements may be compromised • Hard to detect based solely on the network intrusion detection systems – Commands can be encoded in correct syntax – Not detectable by traditional network intrusion detection systems (IDS) 9

  10. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G DETECTION DESIGN • Combine system knowledge of both cyber and physical infrastructure in the power grid – Integrate network monitoring with look-ahead power flow analysis • Detect malicious commands at their first appearances , instead of identifying power system’s physical damage after the fact 10

  11. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH 11

  12. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Cyber Infrastructure 12

  13. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Cyber Infrastructure • Adapt specification-based IDS for SCADA systems – Detect unexpected network activities based on predefined security specifications 13

  14. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Cyber Infrastructure • Adapt specification-based IDS for SCADA systems – Detect unexpected network activities based on predefined security specifications • Adapt Bro to support SCADA protocols – Develop DNP3 & Modbus Bro IDS analyzers in Bro’s for SCADA distribution – Collaborate with industry, i.e., Ameren, Abbot Lab • Use real network traffic from substations in Ameren to test the developed tools 14

  15. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Physical Infrastructure • Develop semantic analysis framework – Augment network IDS with power flow analysis Bro IDS for SCADA 15

  16. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Physical Infrastructure • Develop semantic analysis framework – Augment network IDS with power flow analysis – Monitor network payloads to identify control commands – Invoke look-ahead power Bro IDS flow analysis to evaluate for SCADA the physical consequence of a command’s execution Look-ahead Power Flow Analysis 16

  17. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G APPROACH Physical Infrastructure • Develop semantic analysis framework – Augment network IDS with power flow analysis – Monitor network payloads to identify control commands – Invoke look-ahead power Bro IDS flow analysis to evaluate for SCADA the physical consequence of a command’s execution – Monitor sensor Look-ahead measurements to identify Power Flow Analysis corruptions 17

  18. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G LOW LATENCY DETECTION • Classical AC power flow analysis calculates accurate system states with long latency 18

  19. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G LOW LATENCY DETECTION • Classical AC power flow analysis calculates accurate system states with long latency • DC power flow analysis introduces very little latency, but calculates very inaccurate system states 19

  20. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G LOW LATENCY DETECTION • Classical AC power flow analysis calculates accurate system states with long latency • DC power flow analysis introduces very little latency, but calculates very inaccurate system states • Adapt AC power flow analysis to balance detection latency and accuracy – Allow timely responses before system-wide propagation of malicious damage 20

  21. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G LOW LATENCY DETECTION • Classical AC power flow analysis calculates accurate system states with long latency • DC power flow analysis introduces very little latency, but calculates very inaccurate system states • Adapt AC power flow analysis to balance detection latency and accuracy – Allow timely responses before system-wide propagation of malicious damage • Adapt Newton-Raphson algorithm – Intelligently reduce the number of iteration for different control commands • Meet the trade-off between detection accuracy and latency 21

  22. ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014 TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G EVALUATION: DETECTION ACCURACY • The test-bed configuration – Use the case files of IEEE 24-bus, 30-bus, 39-bus, and a 2736- bus system in Matpower to evaluate the adapted power flow analysis algorithm – Malicious changes: line outage, generation and load modification 22

Recommend

Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak Developed by Harris Corp,

Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak Developed by Harris Corp,

Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak Developed by Harris Corp, handed over to a vendor-neutral User Group in 1993. Many features have been bolted on, including security. Layered Architecture IED/RTU or

469 views • 24 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In previous parts of this chapter: Modeling behaviour with

773 views • 74 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In Part I of this chapter: Modeling with state machines and

1.8k views • 126 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author: Hojung Bang Affiliation: KAIST Address: 373-1, Kuseong-dong, Yuseong-gu, Daejeon, 305-701, Korea Abstract: In this paper, we summarized our experience

285 views • 6 slides
Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1

Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1

Specification-Based Testing 1 Stuart Anderson Stuart Anderson Specification-Based Testing 1 2011 c 1 Overview Basic terminology A view of faults through failure Systematic versus randomised testing A systematic approach to

492 views • 32 slides
Building a Literate Parser and Proxy for DNP3 Sven M.

Building a Literate Parser and Proxy for DNP3 Sven M.

Building a Literate Parser and Proxy for DNP3 Sven M. Hallberg, Sergey Bratus, Adam Crain Outline Parsers, security, and the

368 views • 33 slides
TCP Friendly Rate Control (TFRC): Protocol Specification RFC3448bis

TCP Friendly Rate Control (TFRC): Protocol Specification RFC3448bis

TCP Friendly Rate Control (TFRC): Protocol Specification RFC3448bis draft-ietf-dccp-rfc3448bis-00.txt S. Floyd, M. Handley, J. Padhye, and J. Widmer November 2006, DCCP Working Group Changes from RFC 3448: Incorporated changes in the

240 views • 4 slides
Implemen'ng a ver'cally hardened DNP3 control stack Sven M.

Implemen'ng a ver'cally hardened DNP3 control stack Sven M.

Implemen'ng a ver'cally hardened DNP3 control stack Sven M. Hallberg, Sergey Bratus, Adam Crain, Meredith L. Pa<erson,

886 views • 49 slides
Broadcast channels Adversary Central adversary (collaborating parties) Corrupts t

Broadcast channels Adversary Central adversary (collaborating parties) Corrupts t

Sum Protocol 2 Goal: Compute sum of inputs Protocol Specification 0. P i : input x i random r y 1 = r + x 1 y 7 Cryptographic Protocols 1. P i : send x i to TTP y 7 = y 6 + x 7 y 1 x i s = y 7 r y 6 2. TTP: y = Spring 2020 y 2 =

67 views • 4 slides
Integrating Workload Specification and Extraction for Model- Based and Measurement-Based

Integrating Workload Specification and Extraction for Model- Based and Measurement-Based

Stuttgart, Germany, 2014-11-27 Integrating Workload Specification and Extraction for Model- Based and Measurement-Based Performance Evaluation An Approach for Session-Based Software Systems Andr van Hoorn, Christian Vgele Eike Schulz,

1.02k views • 29 slides
Protocol-based Verification of Message-passing Parallel Programs Hugo A. L opez, Eduardo R. B.

Protocol-based Verification of Message-passing Parallel Programs Hugo A. L opez, Eduardo R. B.

t i f a r c A t * C o m * p l * t e n t e A e t * A s i W s E n L e o l C l S C D P * o * c O e s u u m E O e R e n v o t t d e * y s * a a E d l u e a t Protocol-based

543 views • 37 slides
Protocol Interconnection in Urban Traffic Coordination use case (demo) Georgios Bouloukakis

Protocol Interconnection in Urban Traffic Coordination use case (demo) Georgios Bouloukakis

Protocol Interconnection in Urban Traffic Coordination use case (demo) Georgios Bouloukakis Inria 1 st Review Meeting Brussels, February 11, 2016 Route planning: Choreography diagram Specification Specification sub-choreography diagram

315 views • 10 slides
An Adaptive MAC Layer Protocol for ATM-based LEO Satellite Networks An Access Protocol for Mobile

An Adaptive MAC Layer Protocol for ATM-based LEO Satellite Networks An Access Protocol for Mobile

An Adaptive MAC Layer Protocol for ATM-based LEO Satellite Networks An Access Protocol for Mobile Satellite Users with Reduced Link Margins and Contention Probability Marc Emmelmann (*) Hermann Bischl Fraunhofer Institute German Aerospace

611 views • 18 slides
TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for

TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for

TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for ensuring that data is transferred between two Intenret hosts based on a 32 bit address. To be ROUTABLE, a protocol must specify a NETWORK ADDRESS

899 views • 22 slides
Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1 Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the

375 views • 35 slides
Specification-based and boundary testing Maurcio F. Aniche M.FinavaroAniche@tudelft.nl We

Specification-based and boundary testing Maurcio F. Aniche M.FinavaroAniche@tudelft.nl We

Specification-based and boundary testing Maurcio F. Aniche M.FinavaroAniche@tudelft.nl We need more systematic and rigorous ways to test software! SPECIFICATION Requirements Models Structure (e.g., source code) Requirements SPECIFICATI

651 views • 61 slides
TTCN-3 and Eclipse TITAN for testing protocol stacks Harald Welte <laforge@gnumonks.org>

TTCN-3 and Eclipse TITAN for testing protocol stacks Harald Welte <laforge@gnumonks.org>

TTCN-3 and Eclipse TITAN for testing protocol stacks Harald Welte <laforge@gnumonks.org> Protocol Testing Important for: conformance to specification ensuring interoperability network security regression testing performance Protocol

684 views • 37 slides
Test Design Techniques Chapter 4 Part 2 3. Specification-based testing (Black-box) 4.

Test Design Techniques Chapter 4 Part 2 3. Specification-based testing (Black-box) 4.

INF 3121 Software Testing Test Design Techniques Chapter 4 Part 2 3. Specification-based testing (Black-box) 4. Structure-based testing (White-box) 5. Experience-based testing 6. Choosing test techniques Specification-based testing 1.

922 views • 71 slides
Specifications Ken McMillan Microsoft Research Case study TileLink is a protocol for

Specifications Ken McMillan Microsoft Research Case study TileLink is a protocol for

Testing Composable Specifications Ken McMillan Microsoft Research Case study TileLink is a protocol for implementing a coherent memory in a system-on-chip (SoC). Goal: a formal, modular specification of TileLink Specify the protocol

245 views • 20 slides
Specification-based testing of IPsec Institute for system Programming Russian Academy of

Specification-based testing of IPsec Institute for system Programming Russian Academy of

Specification-based testing of IPsec Institute for system Programming Russian Academy of Sciences Nickolay Pakoulin npak@ispras.ru Agenda Work Background Specification based testing in IPsec Discussion Future work The work

578 views • 30 slides
Network Protocol Design and Evaluation 02 - Design Principles Stefan Rhrup University of

Network Protocol Design and Evaluation 02 - Design Principles Stefan Rhrup University of

Network Protocol Design and Evaluation 02 - Design Principles Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 In the last lecture... Specification: 5 Elements of a protocol Service

977 views • 58 slides
1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

REQUIREMENT SPECIFICATION The Basic Waterfall Model Today: Requirements Specification Requirements Requirements tell us what the system should do - specification not how it should do it. Analysis & Requirements are

363 views • 3 slides
REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today:

REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today:

REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today: Requirements Specification Requirement specification is generally a crucial phase of an Jyrki Nummenmaa University of Tampere, CS Department Jyrki

244 views • 3 slides

More recommend