Master in Informatics Engineering Dissertation Final Report Security Probes for Industrial Control Networks Jorge Filipe Barrigas [email protected] Academic Advisor: Prof. Tiago José dos Santos Martins da Cruz Date: July 01, 2014 Acknowledgements I would like to express my special appreciation and thanks to my advisor Professor Tiago Cruz for his excellent guidance, caring, patience, and providing me with an excellent atmosphere for doing research. I would also like to thank the LCT team and Professor Dr. Paulo Simões for all the support in my research. Finally, I would also like to thank my parents. They were always supporting me and encouraging me with their best wishes. Summary During the last years, some of the attacks towards SCADA made headlines, helping raise awareness . Some of the vulnerabilities may even be exploited to harm other systems, eventually, ending compromising specific points of SCADA networks. At the same time, a growing number of threats related with the physical layer made new issues and low-level mechanisms emerged, requiring careful approach and monitoring to secure such devices. Threats of this type are considered to be even more dangerous than SCADA-specific ones, since these operate at a lower level, unnoticed to scanners and anti-viruses. Considering this scenario we can expect a growing number of these threats to be affecting SCADA components, if adequate countermeasures are not taken. Over the last ten months (from September 16, 2013 until June 27, 2014), a new concept was developed, in the context of the FP7 CockpitCI project, for the current thesis, to reinforce the security of SCADA systems. This concept refers to a device installed in a key juncture of the network, with the purpose of monitoring the behavior of specific components, while reporting detected anomalies. However, even before this thesis (during the second curriculum semester of the year 2012/2013) there was already some research being made in this sense, which reflects in the amount of res ults included in this document. Keywords SCADA Systems Detection Architecture Shadow RTU Probing Architecture Man-in-the-middle Attack Scenarios i ii Index 1 Introduction........................................................................................................................ 1 1.1 Context – Security in SCADA Systems, CockpitCI Project ............................................. 1 1.2 Thesis Objectives ....................................................................................................... 1 1.3 Structure of the Document ........................................................................................... 3 2 State of the Art – SCADA Security ....................................................................................... 4 2.1 Introduction – SCADA Generations .............................................................................. 4 2.2 Overview of SCADA Vulnerabilities .............................................................................. 6 2.3 Evaluation of Architecture Partitioning Solutions ........................................................... 7 2.3.1 Dual-Homed Solutions ......................................................................................... 7 2.3.2 Router and Firewall-based Solutions ..................................................................... 8 2.3.3 DMZ and VPN-based Solutions ...........................................................................10 2.3.4 Solution Comparison and Evaluation ...................................................................12 2.4 Post-Stuxnet Security.................................................................................................13 2.4.1 Vulnerabilities in Hardware and Software Components .........................................15 2.4.2 Future Threats in ICS/SCADA .............................................................................16 2.5 Low-Level Threats .....................................................................................................18 2.5.1 Advanced Volatile Threats (AVTs) .......................................................................18 2.5.2 Memory Attacks .................................................................................................18 2.5.3 Advanced Persistent Threats (APTs) ...................................................................19 2.5.4 Firmware Attacks................................................................................................20 2.5.5 Rootkits .............................................................................................................20 2.6 Methods of Exploitation ..............................................................................................20 2.7 Secure Execution Environments .................................................................................21 2.7.1 PEE within a Computer System ...........................................................................22 2.7.2 One-way Isolation...............................................................................................24 2.8 Secure Execution Approaches ....................................................................................25 2.8.1 Virtualization ......................................................................................................25 2.8.2 File System and Process Confinement .................................................................26 2.8.3 Containers .........................................................................................................26 2.8.4 Container-based Solutions ..................................................................................27 2.8.5 Access Control Policies.......................................................................................27 2.9 Containers Comparison and Evaluation.......................................................................27 iii 2.10 Isolation Contexts ......................................................................................................28 3 CockpitCI Reference Architecture.......................................................................................30 3.1 Requirements for the Proposed Architecture................................................................30 3.2 Probing Architecture ..................................................................................................30 3.3 Detection Agents .......................................................................................................31 3.3.1 Network and Host Intrusion Detection Systems ....................................................31 3.3.2 Honeypot ...........................................................................................................31 3.3.3 Shadow RTU......................................................................................................32 3.4 Detection Architecture ................................................................................................32 3.5 CockpitCI Security Ontology .......................................................................................35 4 Proposed Probing Architecture...........................................................................................38 4.1 Shadow RTU Concept ...............................................................................................38 4.2 Probing Modules ........................................................................................................39 4.2.1 Network Event Monitoring ...................................................................................39 4.2.2 Network Data Collection......................................................................................40 4.2.3 Network Data Processing....................................................................................41 4.2.4 Network Event Configuration ...............................................................................41 4.2.5 Network Event Programming...............................................................................42 4.2.6 Event Execution .................................................................................................42 4.2.7 Event Reporting .................................................................................................43 4.3 Motivations and Requirements....................................................................................44 4.4 Management Interfaces ..............................................................................................46 4.4.1 System Management ..........................................................................................46 4.4.2 Event Management ............................................................................................47 4.4.3 Container Management.......................................................................................47 5 Concept Validation ............................................................................................................49 5.1 Hardware Validation...................................................................................................49 5.1.1 System Requirements.........................................................................................49 5.1.2 Network Monitoring Options ................................................................................52 5.1.3 Passive Ethernet Taps ........................................................................................53