Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS & IoT Roland Groz, Jean-Luc Richier, Maxime Puys, Laurent Mounier Univ. Grenoble Alpes LIG/Vasco + Vérimag/PACSS Kobe – Université Grenoble-Alpes Workshop
Industrial systems & security n Hot topic since Stuxnet (Iran 2009) ¨ Even military-nuclear protected industrial sites can be damaged by cyberattacks n ~1000 centrifuges destroyed ¨ Significant attacks (before and) after Stuxnet n E.g.: Ukraine black out (2015), German steel plant, Finland heating breakdown… n Protection becoming a priority for government agencies (France: ANSSI, LPM 2013, OIV) 2
Testing for security (LIG) n Goal: early detection of vulnerabilities (security flaws) in systems n Approach: based on models, Model-Driven Engineering (MDE) and Model Based Testing (MBT), with Formal Methods n Main techniques: ¨ Model learning, reverse engineering ¨ Model checking and analysis ¨ Test generation, fuzzing 3
Past and current projects n European: Diamonds, SPaCIoS ¨ + many national projects n Application domains: ¨ Internet of Services (web applications) ¨ Communication protocols ¨ Transport systems (automotive, aerospace, rail) ¨ Industrial systems, CPS 4
Industrial (&IoT) vs Business IT n Security priorities differ from IT ¨ IT: Confidentiality > Authentication > Integrity > Availability ¨ (Indus) Availability > Integrity > Authent. > Confid. ¨ IoT: domain dependent, e.g. Integrity > Avail. > Conf. n Long lived, hard to patch, legacy (+Indus, -IoT) n Proprietary protocol implementations (~IoT) n Real-time n Cyber Physical Systems (physical/vital hazards) 5
SCADA (Supervisory Control and Data Acquisition) n SCADA controls variable Motor Status on PLC (Programmable Logic Controller) 6
Industrial Communication Protocols n MODBUS (1979) ¨ Mostly read/write PLC variables (+config…) ¨ No security n OPC-UA (2006) ¨ Open PF Communications, Unified Arch. ¨ Complex standard (978 pages) ¨ Provisions for security n Signed or encrypted messages n OPC-UA SecureConversation (similar to TLS with handshake) 7
Current responses to threats n Legal requirements on companies: risk analysis, human and technical measures n Zoning: Data diodes, Firewalls for ICS protocols… n Intrusion Detection Systems & IPS ¨ Multiple systems (cf hierarchical distributed structure) n Research: advanced IDS/IPS, vulnerability detection in protocol specs & implems 8
LIG security projects for SCADA n ARAMIS (PIA) ¨ Isolation device (~firewall based on protocol rupture) n SACADE (ASTRID) ¨ SCADA platform for detecting and playing attacks n SRED (PIAVE) ¨ Intrusion detection for electric distribution 9
ARAMIS security gateway n Deep Packet Inspection n Rewriting packet contents, with protocol-specific rules n Physically separated processors 10
SACADE n Started 2017 n Investigating Attack scenarios against PLC n Special focus on scenarios combining Distribution and Encapsulation: ¨ Payload recombined from multiple encapsulated sources 11
Focus: encapsulation+distrib Distribution: Noxious Encapsulation: behaviour is obtained by Payload is legal at all combining commands levels of protocols, so from several legal espaces protocol filtering commands from distributed sources
Examples of attack elements n Playing on protocol levels ¨ Data injection to move towards dangerous states ¨ Device reconfiguration ¨ Combining reconfiguration followed by injection n Timing dependence ¨ Commands sent in transient states of CPS 13
Experimental Pla.orm (Grenoble) Hierarchical Security Func&onal architecture proper&es proper&es model Sta&c analysis Monitor AAack synthesis library Test Monitors genera&on Execu&on pla-orm G-ICS
Model Based analysis to detect vulnerabilities in protocol implem. n Previous work for vulnerability detection ¨ SPaCIoS: tool box for vulnerability in IoS (Internet of Services: Web applications), n Based on model of cryptographic protocols + Model-checking, model based testing, model inference… ¨ Kameleon Fuzz: smart fuzzing n Based on protocol model and grammar 15
Security SPaCIoS Analyst The SPaCIoS Tool tool User interface Security Model of User SUV Fault goals the attacker guidance source location code Model of the n Modelling with Test Results SUV Source Trace- based driven fault Libraries inference localization Property-driven Model ¨ ASLan++ inference and and vulnerability-driven adjustment test case generation Model of the SUV n Models can be Test case Abstract generation Vulnerabilities execution trace Attack Patterns retrieved Security Goals Test drivers Attacker Models ¨ From source code (jModex) ¨ Black box testing (SIMPA) Legend : 16 System Under Validation (SUV) Test Stub
Objectives Results ü Working prototypes of (and more) WP 3 § Validation techniques • model checking • Model inference SIMPA • Model extraction jModex • property-driven testing • Mutation-based testing SPaCiTE • vulnerability-driven testing • Instrumentation-based testing IBT • bridge components • LTL separation for testing Fred • Low level attacker models Vera • Fuzzing KameleonFuzz & SVCov ü SPaCIoS Tool released WP 4 § SPaCIoS Tool § Validation methodology patterns ü Valid. method. patterns & Tutorials Security Analyst Model Property The SPaCIoS Tool Model Checker User Interface SUV Fault Security Model of User source location goals the attacker guidance Attack Model code of the trace SUV Trace- Source Test Results Libraries driven fault based localization inference Model Property-driven inference and and vulnerability-driven adjustment test case generation Model of the SUV Abstract Test case Vulnerabilities execution trace Attack Patterns Security Goals Test Execution Engine Attacker Models Real system SUV
KameleonFuzz overview evolve inputs Evolutionary Algorithm B. Approximate D. A. Inferring C.2. Precise Taint C.1. Malicious Taint Dataflow SUT state Dataflow Inputs Generation model - taint inputs - generate inputs - infer taint in outputs - attack successful? - annotate model if new page or state discovered 26/02/18 18
Other approach: test patterns 19
Back to SCADA & CPS security n Weak protocols => easily found attacks n Difficulties lie in concretization ¨ Bypassing security architecture n firewall through encapsulation & multiple interface n IDS through non monitored channels ¨ Dealing with proprietary undocumented protocols and features n Methods above might be too sophisticated ? 20
THANK YOU FOR YOUR ATTENTION. Contact: Roland.Groz@univ-grenoble-alpes.fr Professor at Grenoble INP Ensimag 21
BACKUP SLIDES 22
Architecture of Industrial Control Systems 23
Schéma d’aRchitecture SCADA.VSD Atos Worldgrid Extérieur Entreprise Domaine de Confiance Boursorama Météo Franc e serveur anti National Entreprise virus Surveillance / Télé Maintenance Archivage corrélation Sites de confiance des Infrastructures Local Entreprise ERP SAP Central événements Point Coupure FW n°2 FW VPN DMZ Externe FW Admin / Log : Anti Viris Autres Systémes Serveurs de dépôt / pubication Relais Proxy Server Administration Zone Isolation « DMZ » DMZ Interne Autres Systémes FW n°1 Site SCADA Hyperviseur Administration Système / Bases de Données Métier / Historian Logs / Accounta.. Reduction de Postes Consultation Métiers surface - Zoning Serv Ethernet TCP IP Niveau 3 Zone Hypervision métiers Protocoles Standards : OPC UA, Autres Flux de services administration, FTP... Salles de Commande Stations SCADA Clients Lourds Ateliers Ethernet TCP IP Autres Systémes Nombreux protocoles Serveurs SCADA internes SCADA Autre SCADA Reduction de Local ou Distant surface - Niveau 2 Zones SCADA Zoning Serv Serv Serv Serv Serv Protocoles Automates : OPC UA, Modbus TCP, protocoles spécifiques constructeur sur TCP ou UDP Flux de services administration, FTP... Autre Zone Automatisme Ethernet TCP IP Concentrateur Automates Concentrateur / Agrégateur Concentrateur / Agrégateur Niveau 1 Zones Automatismes Capteurs / Compteurs Automates RTU Intélligents Capteurs / compteurs Intélligents Procédés RTU RTU Niveau 0 Capteurs / Actionneurs Procédés Projet: AAP sécurité SCADA Légende Equipements Réseaux Switchs etc Firewall IPS/IDS – Data Diode RTU = Remote Transmission Unit 24 21/10/2013 – V1 Architecture Générique SCADA à sécuriser - Draft
ARAMIS 25
Low-level attacker models: Vera Vulnerabilities? Security Analyst The SPaCIoS Tool Attacker Instantiation model Library User Interface library SUV Fault Security Model of User source location goals the attacker guidance Model code of the SUV Trace- Source Test Results Libraries driven fault based localization inference Model Property-driven Concrete inference and and vulnerability-driven adjustment test case generation Attack trace Model of the SUV Abstract Test case Vulnerabilities execution trace Attack Patterns Security Goals Test Execution Engine Attacker Models SUV Real system 26
Recommend
More recommend