towards high interaction virtual ics honeypots in a box
play

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A - PowerPoint PPT Presentation

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this


  1. CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1

  2. Overview In this work we: • Present the design of a realistic ICS honeypot ◮ Satisfying traditional, and ICS requirements ◮ That is high-interaction, virtualized and low-cost • Show an implementation of such a design ◮ Targeting ICS based on Ethernet/IP ◮ High-interaction without full virtualization ◮ Compatible with Software-Defined Networking • Discuss its evaluation ◮ S3’s Capture-The-Flag (CTF) for ICS daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Abstract 2

  3. Industrial Control Systems (ICS) • Industrial Control Systems (ICS) ◮ Connected devices, managing an industrial process ◮ Control and monitor: PLC, SCADA, HMI ◮ Physical: sensors, actuators ◮ Cyber: switches, routers, gateways • ICS security is a major challenge ◮ Internet-facing control networks ◮ Cyber and physical attacker surface ◮ Legacy-code, uncertified devices daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 3

  4. Real Water Treatment ICS SCADA Historian VPN/Gateway HMI HMI HMI Internet Switch L1 Network Process 1 Process 2 Process n PLC PLC PLC PLC PLC PLC ... PLC1a PLC1b PLC2a PLC2b PLCna PLCnb L0 Network L0 Network L0 Network Remote IO Remote IO Remote IO ... RIO RIO RIO Sensor Sensor Sensor 42.42 42.42 42.42 Actuators Sensors Actuators Sensors Actuators Sensors daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 4

  5. Real Water Treatment ICS SCADA Historian Attacker VPN/Gateway HMI HMI HMI Internet Switch L1 Network Process 1 Process 2 Process n PLC PLC PLC PLC PLC PLC ... PLC1a PLC1b PLC2a PLC2b PLCna PLCnb L0 Network L0 Network L0 Network Remote IO Remote IO Remote IO ... RIO RIO RIO Sensor Sensor Sensor 42.42 42.42 42.42 Actuators Sensors Actuators Sensors Actuators Sensors daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 4

  6. Our Idea: ICS Honeypots Attacker Internet SCADA Historian VPN/Gateway HMI HMI HMI Switch L1 Network Process 1 Process 2 Process n PLC PLC PLC PLC PLC PLC ... PLC2a PLC2b PLCna PLCnb PLC1a PLC1b L0 Network L0 Network Remote IO L0 Network Remote IO Remote IO ... RIO RIO RIO Sensor Sensor Sensor 42.42 42.42 42.42 Actuators Sensors Actuators Sensors Actuators Sensors daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 5

  7. ICS Honeypots: Introduction • Systems intended be probed, attacked, and compromised ◮ Lures the attacker impersonating an ICS ◮ Stop, or slow-down the attack ◮ Study attacker’s behaviours • Classifications ◮ Infrastructure: real vs. virtual (vs. hybrid) ◮ Realism: low-interaction vs. high-interaction ◮ Role: client vs. server ◮ Usage: research vs. production daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 6

  8. Our Honeypot: Attacker Model • Assumptions ◮ Honeypot reached over the Internet ◮ Vulnerable interface determines the attacker surface • Capabilities ◮ Fingerprinting: addresses, ports, protocol ◮ Protocols: knowledge of all protocols used in system ◮ Physical system: limited knowledge of process and devices • Interactions ◮ Denial-of-Service: flood the network ◮ Man-in-the-Middle: passive and active ◮ Device impersonation: valid and malformed packets ◮ Sabotage: trigger actions through malicious commands daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 7

  9. Our Honeypot: Requirements • High-interaction ICS honeypot ◮ Simulate the physical process ◮ Simulate the ICS devices: control logic, services ◮ Emulate the network infrastructure • Low-cost ◮ Reconfigurable ◮ Scales • ICS requirements ◮ Time : completion of tasks, and delivery of packets ◮ Determinism : schedule of tasks, and order of packets daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 8

  10. Simple Design Approach • How about an OpenPLC 1 indexed on shodan.io ? ◮ Classification: real, low-interaction, server ◮ Pros: low-cost, configuration ◮ Cons: realism, scale Attacker Internet 1 http://www.openplcproject.com/ daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Design 9

  11. Our Honeypot: Design Choices • Virtual and high-interaction : ◮ Simulation of physical process and ICS devices ◮ Lightweight network emulation ◮ Runs in-a-Box (with SDN support) • ICS requirements ◮ Time: real-time emulation, and simulation ◮ Determinism: scriptable environment Attacker SCADA Historian HMI VPN/Gateway HMI HMI Internet Switch L1 Network Process 1 Process 2 Process n PLC PLC PLC PLC PLC PLC ... PLC1a PLC1b PLC2a PLC2b PLCna PLCnb L0 Network L0 Network Remote IO L0 Network Remote IO ... Remote IO RIO RIO RIO Sensor Sensor Sensor 42.42 42.42 42.42 Actuators Sensors Actuators Sensors Actuators Sensors daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Design 10

  12. Our Honeypot: Architecture High-Interaction virtual honeypot Simulated PLC VPN PLC SI S Physical Device Process Emulated SSH Simulation network T elnet Gateway Simulated HMI Internet Real ICS/SCADA system PLC Attacker VPN Gateway PLC Device Physical ICS Process network SSH T elnet Gateway HMI Proposed Honeypot (top) vs. Real ICS (bottom). daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Design 11

  13. MiniCPS Framework [CPS-SPC 15] Network Component Component Logic Logic Physical Layer API Physical Layer Simulation "MiniCPS: A toolkit for security research on CPS Networks." https://github.com/scy-phy/minicps (C)yber → Network Emulator (P)hysical → Physical Layer Simulation and API (S)ystem → Devices Simulation daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 12

  14. MiniCPS Framework [CPS-SPC 15] Network Component Component Logic Logic Physical Layer API Physical Layer Simulation "MiniCPS: A toolkit for security research on CPS Networks." https://github.com/scy-phy/minicps (C)yber → Network Emulator (P)hysical → Physical Layer Simulation and API (S)ystem → Devices Simulation daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 12

  15. Honeypot Implementation High-Interaction virtual honeypot EtherNet/IP HMI 192.168.1.100 VPN VPN PLC1 Device 192.168.1.10 192.168.1.76 Physical Physical PLC2 Switch Process 192.168.1.20 Layer Internet Internet Simulation API PLC3 192.168.1.30 Attacker Attacker SSH SSH T T elnet elnet PLC4 192.168.1.40 Gateway 192.168.1.77 SDN Controller Network Component Component Logic Logic Physical Layer API Physical Layer Simulation daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 13

  16. Honeypot Implementation High-Interaction virtual honeypot EtherNet/IP HMI 192.168.1.100 VPN VPN PLC1 Device 192.168.1.10 192.168.1.76 Physical Physical PLC2 Switch Process Layer 192.168.1.20 Internet Internet Simulation API PLC3 192.168.1.30 Attacker Attacker SSH SSH T T elnet elnet PLC4 192.168.1.40 Gateway 192.168.1.77 SDN Controller Component Logic Physical Layer Physical Layer Simulation Network API Component Logic daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 13

  17. Realistic Attack Propagation High-Interaction virtual honeypot EtherNet/IP HMI 192.168.1.100 VPN VPN PLC1 Device 192.168.1.10 192.168.1.76 Physical Physical Switch PLC2 Process Layer 192.168.1.20 Internet Internet Simulation API PLC3 192.168.1.30 Attacker Attacker PLC4 192.168.1.40 SDN Controller Attack propagates over the simulated components daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 14

  18. PLC Implementation • Allen-Bradley ControlLogix ◮ Same IP , MAC, and netmask ◮ Simulated control logic (modifiable in real-time) ◮ Ethernet/IP server on port 44818, and client ◮ Same monitoring Webserver daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 15

  19. Network Gateway Device Implementation • Moxa OnCell IP gateway ◮ Eg: provide IP over 3G connection ◮ SSH server with default credentials ◮ Telnet server with default credentials (plaintext authentication) • Virtual implementation ◮ Same IP , MAC, and netmask ◮ sshd on port 22 with default credentials ◮ telnetd on port 23 with default credentials ◮ Attacker gets a (chrooted) shell daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 16

Recommend


More recommend