FP7-SEC-2011-1 Project 285647 Cyber security on SCADA: risk prediction, analysis and reaction tools for Critical Infrastructures D2.1 - Overview of modelling techniques and tools for SCADA systems under cyber attacks Organisation name of lead contractor for this deliverable ENEA General information Submission date 3 July 2012 Dissemination level Public State Final version WP2000 - Modelling and prediction of QoS of interdependent Work package SCADA and Telco Networks facing cyber attacks Task 2001 - Overview of modelling techniques and tools to Task represent SCADA systems under cyber attacks Delivery date 30 Ju ne 2012 Type FP7-SEC-2011-1 Project 285647 Project Cyber-security on SCADA: risk prediction, analysis and reaction tools for Critical Infrastructures Title D2.1 Overview of modelling techniques and tools for SCADA systems under cyber attacks Classification Public Editors Name Organisation E. Ciancamerla, M. Minichino ENEA Authors Name Organisation E. Ciancamerla, A. Di Pietro, M. Minichino, S. Palmieri ENEA M. Ouedraogo Henry Tudor S. Iassinovski Multitel T. Cruz, E. Monteiro, J. Proença, P. Simões University of Coimbra C. Foglietta, S. Panzieri Roma 3 Reviewers Name Organisation Date S. Iassinovski Multitel 28-06-2012 M. Aubigny iTrust 01-07-2012 Ref. CockpitCI-D2.1-Overview of modelling Final version Page 2 on 153 techinques and tools for SCADA systems under attacks.docx Type FP7-SEC-2011-1 Project 285647 Project Cyber-security on SCADA: risk prediction, analysis and reaction tools for Critical Infrastructures Title D2.1 Overview of modelling techniques and tools for SCADA systems under cyber attacks Classification Public Executive Summary This document provides an overview of modelling techniques and tools able to represent Industrial Control Systems (ICS) under cyber attacks. ICS include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC). They are typically used in industries such as electric, water and wastewater, oil and natural gas, etc. SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. DCS are generally used to control production systems within a local area such as a factory using supervisory and regulatory control. PLC are generally used for discrete control for specific applications and generally provide regulatory control. These control systems are vital to the operation of critical infrastructures that are often highly interconnected and mutually dependent systems. Before going into details on the overview of modelling techniques and tools to represent ICS and SCADA and their behaviour under cyber attacks, this document intends also to give details on a minimum, preliminary, but still huge, context. That is needed to make the document auto consistent and to help even a not expert reader in understanding the main issues of modelling techniques and tools able to represent Industrial Control Systems (ICS) under cyber attacks. Particularly, the document deals with the following topics. Glossary. It is an extended glossary extracted by sector standards and guidelines. CockpitCI vision. CockpitCI system will be feed by prediction models of QoS delivered to CI customers in nominal conditions and under cyber attacks of SCADA and enterprise network. Within the project, modelling techniques able to represent cyber attacks, their exploitation throughout cyber vulnerabilities of Critical Infrastructures, up to penetration within Industrial Control Systems and SCADA will be investigated. According to the project aim a special attention has been paid to the ability of such techniques and tools to predict the impact of successful attacks on the Industrial Control Systems of which SCADA systems is a subset, and in turn on the Quality of Service delivered by the target CI which is either functionally or cyber interdependent with other CIs. Malware classification. Malware has become the most significant external threat to most systems, causing widespread damage and disruption, and necessitating extensive recovery efforts within most organizations. Several major forms of malware, including viruses, worms, Trojan horses, malicious mobile code, blended attacks, spyware tracking cookies, and attacker tools such as backdoors and rootkits have been addressed. Stealing information and starting an attack. The techniques used for steal information and start a cyber attack to a SCADA system are not too different to an ICT system. Typical attack phases, such as : Password guessing, Port scanning, Exploitation, Man-In-The- Middle (MITM), Denial of Service (DoS) have been considered. Industrial Control System within a CI. A hierarchy of logical level characterize the ICS within a Critical Infrastructure. Differences and similarities in cyber security between ICS Ref. CockpitCI-D2.1-Overview of modelling Final version Page 3 on 153 techinques and tools for SCADA systems under attacks.docx Type FP7-SEC-2011-1 Project 285647 Project Cyber-security on SCADA: risk prediction, analysis and reaction tools for Critical Infrastructures Title D2.1 Overview of modelling techniques and tools for SCADA systems under cyber attacks Classification Public and ICT (Information and Communication Technology) systems are highlighted. Initially, ICS had little resemblance to traditional ICT systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software. Widely available, low-cost Internet Protocol (IP) devices are now replacing proprietary solutions, which increases the possibility of cyber security vulnerabilities and incidents. ICS cyber threats, vulnerabilities and attacks. Originally, ICS implementations were susceptible primarily to local threats because many of their components were in physically secured areas and the components were not connected to IT networks or systems. However, the trend toward integrating ICS systems with IT networks provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems from remote, external threats. ICS security policies and solutions. Major security objectives for an ICS implementation should include the following: a) restricting logical access to and protecting the ICS network and network activity. This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks, Intrusion Detection/Prevention Systems and Honeypots/Honeynets; b) protecting individual ICS components from exploitation. This includes deploying security patches; disabling all unused ports and services; restricting ICS user privileges to only those that are required for each person’s role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware. ICS cyber security: modelling techniques and tools. Cyber security methodologies, models and tools are fundamentally based on identification of attacker profiles, attack objectives, attack steps characterization, spreading throughout ICS network and consequences on CI customers. In this view and having in mind the main objective of CockpitCi project, different cyber security methodologies, models and tools, used as a single package to address specific aspects of the attack scenario, and/or integrated together to afford the whole attack scenario are discussed. At the state of the art, no single modelling technique has the modelling power and the analytical tractability to adequately deal with the modelling and early prediction of QoS of SCADA system facing adverse events, such as cyber attacks, and accounting cyber interdependency along CI ICT backbone. As a consequence, for analyzing ICS under cyber attacks and the related consequences on CI (i.e. Power grid) services to customers, we distinguish four kinds of models each one requiring specialized methods and tools which, in turn, could rely on specialized or not (general) modelling formalisms: 1) Attacks/attacker/vulnerability models (attack/vulnerability trees, Petri nets, Game theory); 2) ICS & enterprise network models (network simulators/emulators); 3) CI models (i.e. electrical models by power flow simulators); 4) Composite models to represent more than one aspect of the attack scenario (at least two different kinds of the previous models) till the whole attack scenario (i.e. attacks model plus ICS & enterprise network model plus CI model), which may require more than one (Hybrid versus homogeneous) method and tool. Also, several tools which cover partially or as whole the above methods and models, have been overviewed. Many of them rely on stochastic approach such as Petri nets, Game theory, Markov chains, Bayesian networks, Monte Carlo methods; other ones rely on different approaches such as Agent based simulation, discrete event simulation, etc. Different comparison paradigms could be used to compare the modelling techniques and tools resulting from this overview. Modelling formalisms could be ranked according to different criteria i.e. their modelling power against analytical tractability or by their ability to represent any part of the scenario to be represented