SCADA Intrusion Detection System Test Framework
Total Page:16
File Type:pdf, Size:1020Kb
SCADA Intrusion Detection System Test Framework By: Henrik Waagsnes Supervisor: Nils Ulltveit-Moe, Associate Professor Ph.D IKT 590 - Master’s thesis Spring 2017 Department of Information and Communication Technology Faculty of Engineering and Science University of Agder Grimstad, 21 May 2017 Henrik Waagsnes SCADA Intrusion Detection System Test Framework Abstract Supervisory control and data acquisition (SCADA) systems play an important role in our critical infrastructure (CI). Several of the protocols used in SCADA communication are old and lack of security mechanisms. This master thesis presents a SCADA Intrusion Detection System Test Framework that can be used to simulate SCADA traffic and detect malicious network activity. The framework uses a signature-based approach and utilize two different IDS engines, Suricata and Snort. The IDS engines include rule-sets for the IEC 60870-5-104, DNP3 and Modbus protocols. The IDS engines ships detected events to a distributed cluster and visualize them using a web interface. The experiments carried out in this project show that there generally is little difference between Suricata and Snort's ability to detect malicious traffic. Suricata is compatible with signatures written in snort lightweight rules description language. I did however, discover some compatibility issues. The purposed framework applies additional latency to the analysis of IDS events. The perceived latency was generally higher for Snort events than for Suricata events. The reason for this is probably the additional processing time applied by the implemented log conversion tool. Keywords: SCADA, IDS, SIEM 2 Henrik Waagsnes SCADA Intrusion Detection System Test Framework Preface This report is the result of the master thesis IKT 590 (30 ECTS) which is part of my fourth semester MSc study at the Faculty of Engineering and Science, University of Agder (UiA) in Grimstad, Norway. The work on this project started from 1 January 2017 and ended on 21 May 2017. In this project, I have designed, implemented and demonstrate a "SCADA Intrusion Detection System Test Framework". I would like to express my gratitude to my supervisor Nils Ulltveit-Moe for making this Master Thesis possible and giving me guidance and feedback throughout this project. I would also like to thank NC-Spectrum AS for good support and for inviting me to a conference in Kviteseid themed securing SCADA systems. This conference helped me kick start my master thesis and gave me many new ideas. Grimstad May 2017 Henrik Waagsnes 3 Henrik Waagsnes SCADA Intrusion Detection System Test Framework List of figures Figure 1: Defense-in-depth security layers [3] ................................................................ 12 Figure 2: Activity framework for Design Science Research [5] ....................................... 14 Figure 3: Relationships between kernel theory, mid-range-theory and design theory, and the design process [5] .................................................................................................... 14 Figure 4: Reasoning in the Design Research Cycle [5] .................................................. 15 Figure 5: Hierarchy of the five levels of distribution automation (DA)[1] ......................... 16 Figure 6: DA level interconnection [1] ............................................................................. 17 Figure 7: First generation SCADA Architecture [6] ......................................................... 18 Figure 8: Second generation SCADA Architecture [6] .................................................... 19 Figure 9: Third generation SCADA Architecture [6] ........................................................ 19 Figure 10: Fourth generation SCADA Architecture [8] .................................................... 20 Figure 11: IEC 60870-5-104 APDU [11] ......................................................................... 21 Figure 12: Control Field Information Type Structure [10] ................................................ 21 Figure 13: Code Type Groups [10] ................................................................................. 21 Figure 14: DNP3 master/slave architecture [10] ............................................................. 22 Figure 15: DNP3 Data Link Frame [10] ......................................................................... 22 Figure 16: Modbus Client/Server communication model [13] ......................................... 23 Figure 17: Modbus TCP/IP communication architecture [13] ......................................... 24 Figure 18: General Modbus frame [13] ........................................................................... 24 Figure 19: Modbus TCP/IP frame [13] ............................................................................ 24 Figure 20:Interrelations between the IEC TC57 standards and the IEC 62351 security standards [20] ................................................................................................................. 27 Figure 21: Stuxnet first three stages[21] ......................................................................... 28 Figure 22: Stuxnet last three stages[21] ......................................................................... 28 Figure 23: Multilayer SCADA cyber-security framework with IDS [31] ............................ 34 Figure 24: SCADA-IDS security management system [31] ............................................ 34 Figure 25: Hybrid SCADA-IDS process [31] ................................................................... 35 Figure 26: OCSVM classification [35] ............................................................................. 38 Figure 27: Alert-ontology [40] ......................................................................................... 40 Figure 28: Architecture overview [41] ............................................................................. 42 Figure 29: SCADA network topology [41] ....................................................................... 43 Figure 30: SCADA Honeynet architecture [44] ............................................................... 44 Figure 31: GridLab District setup [45] ............................................................................. 44 Figure 32: Implementation overview of SoftGrid testbed [46] ......................................... 45 Figure 33: Placement of A*CMD system [46] ................................................................. 46 Figure 34: Framework Architecture ................................................................................ 49 Figure 35: IEC Server panels ......................................................................................... 51 Figure 36: qtester104.ini configuration file ...................................................................... 52 Figure 37: QTester104 GUI connected to IEC Server .................................................... 52 Figure 38: Wireshark analysis of IEC 60870-5-104 communication ............................... 53 Figure 39: OSHMI KOR1 substation in simulation mode switch on ................................ 53 Figure 40: OSHMI KOR1 substation in simulation mode switch off ................................ 54 4 Henrik Waagsnes SCADA Intrusion Detection System Test Framework Figure 41: OSHMI KOR1 event viewer in simulation mode ............................................ 54 Figure 42: OSHMI KOR1 substation trend viewer in simulation mode ........................... 54 Figure 43: OpenMUC j60870 Client Console default ...................................................... 55 Figure 44: Adding new commands and acionkeys ......................................................... 55 Figure 45: Configuring action for actionkey .................................................................... 56 Figure 46: Add new action for each command ............................................................... 56 Figure 47: OpenMUC j60870 Client Console after modification ..................................... 56 Figure 48: ELK stack architecture................................................................................... 62 Figure 49: Logstash configuration [51] ........................................................................... 63 Figure 50: Three-node cluster ........................................................................................ 64 Figure 51:ELK stack successfully configured ................................................................. 65 Figure 52: Pie chart visualization in kibana .................................................................... 65 Figure 53: Monitoring dashboard provided by x-pack ..................................................... 66 Figure 54: Elasticsearch monitoring using x-pack .......................................................... 66 Figure 55: Functionality available in x-pack [53] ............................................................. 67 Figure 56: Network traffic monitoring dashboard ............................................................ 68 Figure 57: IDS alert monitoring dashboard ..................................................................... 69 Figure 58: IDS comparison dashboard ........................................................................... 69 Figure 59: Experimental dashboard ................................................................................ 70 Figure 60: Calculating latency ........................................................................................ 70 Figure 61: Latency Dashboard