General Terms - 異質多網安全檢測平台建置計畫(III)

Security

Keywords

SCADA, security, IDS, control systems, critical infrastructure pro-tection, cyber-physical systems

1. INTRODUCTION

Control systemsare computer-based systems that monitor and controlphysical processes. These systems represent a wide vari-ety of networked information technology (IT) systems connected to the physical world. Depending on the application, these control systems are also called Process Control Systems (PCS), Supervi-sory Control and Data Aquisition (SCADA) systems (in industrial control or in the control of the critical infrastructures), Distributed Control Systems (DCS) or Cyber-Physical Systems (CPS) (to refer to embedded sensor and actuator networks).

Control systems are usually composed of a set of networked agents, consisting of sensors, actuators, control processing units such as programmable logic controllers (PLCs), and communica-tion devices. For example, the oil and gas industry use integrated control systems to manage reﬁning operations at plant sites, re-motely monitor the pressure and ﬂow of gas pipelines, and control the ﬂow and pathways of gas transmission. Water utilities can re-motely monitor well levels and control the wells pumps; monitor ﬂows, tank levels, or pressure in storage tanks; monitor pH, turbid-ity, and chlorine residual; and control the addition of chemicals to the water.

Several control applications can be labeled as safety-critical: their failure can cause irreparable harm to the physical system being con-trolled and to the people who depend on it. SCADA systems, in par-ticular, perform vital functions in national critical infrastructures, such as electric power distribution, oil and natural gas distribution, water and waste-water treatment, and transportation systems. They are also at the core of health-care devices, weapons systems, and transportation management. The disruption of these control sys-tems could have a signiﬁcant impact on public health, safety and lead to large economic losses.

Control systems have been at the core of critical infrastructures, manufacturing and industrial plants for decades, and yet, there have been few conﬁrmed cases of cyberattacks. Control systems, how-ever, are now at a higher risk to computer attacks because their vulnerabilities are increasingly becoming exposed and avail-able to an ever-growing set of motivated and highly-skilled at-tackers.

No other attack demonstrates the threat to control systems as the

355

Stuxnet worm [1, 2]. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming controllers to operate, most likely, out of their speciﬁed boundaries [1]. Stuxnet demonstrates that the motivation and capability exists for creating computer attacks capable to achieve military goals [3].

Not only can Stuxnet cause devastating consequences, but it is also very difﬁcult to detect. Because Stuxnet used zero-day vul-nerabilities, antivirus software would not have prevented the at-tack. In fact, the level of sophistication of the attack prevented some well known security companies such as Kaspersky to detect it initially [4]. In addition, victims attempting to detect modiﬁca-tions to their embedded controllers would not see any rogue code as Stuxnet hides its modiﬁcations with sophisticated PLC rootkits, and validated its drivers with trusted certiﬁcates.

The main motivation behind this work is the observation that while attackers may be able to hide the speciﬁc information tech-nology methods used to exploit the system and reprogram their computers, they cannot hide their ﬁnal goal: the need to cause an adverse effect on the physical system by sending malicious sensor or controller data that will not match the behavior expected by a supervisory control or an anomaly detection system.

Therefore, in this paper we explore security mechanisms that de-tect attacks by monitoring the physical system under control, and the sensor and actuator values. Our goal is to detect modiﬁcations to the sensed or controlled data as soon as possible, before the at-tack causes irreversible damages to the system (such as compro-mising safety margins).

In the rest of the paper we ﬁrst summarize the vulnerability of control systems by discussing known attacks. We then discuss the efforts for securing control systems solely from an information technology perspective and identify the new and unique research problems that can be formulated by including a model of the phys-ical system under control. We then develop a new attack detection algorithm and study the methodology on how to evaluate anomaly detection algorithms and their possible response strategies.

2. THE VULNERABILITY OF CONTROL SYSTEMS AND STUXNET

There have been many computer-based incidents in control sys-tems. Computer-based accidents can be caused by any unantic-ipated software error, like the power plant shutdown caused by a computer rebooting after a patch [5]. Non-targeted attacks are incidents caused by the same attacks that any computer connected to the Internet may suffer, such as the Slammer worm infecting the Davis-Besse nuclear power plant [6], or the case of a controller be-ing used to send spam in a water ﬁlterbe-ing plant [7].

However, the biggest threat to control systems are Targeted at-tacks. These attacks are the ones where the miscreants know that they are targeting control systems, and therefore, they tailor their attack strategy with the aim of damaging the physical system un-der control. Targeted attacks against control systems are not new.

Physical attacks–for extortion and terrorism–are a reality in some countries [8]. Cyber-attacks are a natural progression to physical attacks: they are cheaper, less risky for the attacker, are not con-strained by distance, and are easier to replicate and coordinate.

A classic computer-based targeted attack to SCADA systems is the attack on Maroochy Shire Council’s sewage control system in Queensland, Australia [9]. There are many other reported targeted attacks [10–16]; however, no other attack has demonstrated the threats that control systems are subject to as well as the Stuxnet worm [1, 2]. Stuxnet has made clear that there are groups with the motivation and skills to mount sophisticated computer-based attacks to critical infrastructures, and that these attacks are not just

speculations or belong only in Hollywood movies.

Stuxnet intercepts routines to read, write and locate blocks on a Programmable Logic Controller (PLC). By intercepting these re-quests, Stuxnet is able to modify the data sent to or returned from the PLC without the operator of the PLC ever realizing it [1].

Stuxnet was discovered on systems in Iran in June 2010 by re-searchers from Belarus–from the company VirusBlokAda; how-ever, it is believed to have been released more than a year before.

Stuxnet is a worm that spreads by infecting Windows computers.

It uses multiple methods and zero-day exploits to spread itself via LANs or USB sticks. It is likely that propagation by LAN served as the ﬁrst step, and propagation through removable drives was used to reach PCs not connected to other networks–therefore being iso-lated from the Internet or other networks is not a complete defense.

Once Stuxnet infects a Windows computer, it installs its own drivers. Because these drivers have to be signed, Stuxnet used two stolen certiﬁcates. Stuxnet also installs a rootkit to hide it-self. The goal of the worm in a Windows computer is to search for WinCC/Step 7, a type of software used to program and monitor PLCs. (PLCs are the embedded systems attached to sensors and actuators that run control algorithms to keep the physical system operating correctly. They are typically programmed with a ladder logic program: a logic traditionally used to design control algo-rithms for panels of electromechanical relays.)

If Stuxnet does not ﬁnd the WinCC/Step 7 software in the in-fected Windows machine, it does nothing; however, if it ﬁnds the software, it infects the PLC with another zero-day exploit, and then reprograms it. Stuxnet also attempts to hide the PLC changes with a PLC rootkit.

The reprogramming is done by changing only particular parts of the code–overwriting certain process variables every ﬁve seconds and inserting rouge ladder logic–therefore it is impossible to pre-dict the effects of this change without knowing exactly how the PLC is originally programmed and what it is connected to, since the PLC program depends on the physical system under control, and typically, physical system parameters are unique to each indi-vidual facility. This means that the attackers were targeting a very speciﬁc PLC program and conﬁguration (i.e., a very speciﬁc con-trol system deployment).

Many security companies, including Symantec and Kaspersky have said that Stuxnet is the most sophisticated attack they have ever analyzed, and it is not difﬁcult to see the reasons. Stuxnet uses four zero-day exploits, a Windows rootkit, the ﬁrst known PLC rootkit, antivirus evasion techniques, peer-to-peer updates, and stolen certiﬁcates from trusted CAs. There is evidence that Stuxnet kept evolving since its initial deployment as attackers upgraded the in-fections with encryption and exploits, apparently adapting to con-ditions they found on the way to their target. The command and control architecture used two servers if the infected machines were able to access the Internet, or a peer to peer messaging system that could be used for machines that are ofﬂine. In addition, the attack-ers had a good level of intelligence about their target; they knew all the details of the control system conﬁguration and its programs.

The sophistication of this attack has lead many to speculate that Stuxnet is the creation of a state-level sponsored attack. Since Iran has an unusually high percentage of the total number of reported infections of the worm in the world [1], there has been some spec-ulation that their target was a speciﬁc industrial control system in Iran [2], such as a gas pipeline or power plant.

We argue that a threat like the Stuxnet worm must be dealt with defense-in-depth mechanisms like anomaly detection schemes. While traditional anomaly detection mechanisms may have some draw-backs like false alarms, we argue that for certain control systems, anomaly detection schemes focusing on the physical system–instead

356

of using software or network models–can provide good detection capabilities with negligible false alarm rates.

3. NEW SECURITY PROBLEMS FOR CON-TROL SYSTEMS

3.1 Efforts for Securing Control Systems

Most of the efforts for protecting control systems (and in partic-ular SCADA) have focused on safety and reliability (the protection of the system against random and/or independent faults). Tradi-tionally, control systems have not dealt with intentional actions or systematic failures. There is, however, an urgent growing concern for protecting control systems against malicious cyberattacks [6, 17–24].

There are several industrial and government-led efforts to im-prove the security of control systems. Several sectors–including chemical, oil and gas, and water–are currently developing programs for securing their infrastructure. The electric sector is leading the way with the North American Electric Reliability Corporation (NERC) cybersecurity standards for control systems [25]. NERC is autho-rized to enforce compliance to these standards, and it is expected that all electric utilities are fully compliant with these standards by the end of 2010.

NIST has also published a guideline for security best practices for general IT in Special Publication 800-53. Federal agencies must meet NIST SP800-53. To address the security of control sys-tems, NIST has also published a Guide to Industrial Control Sys-tem (ICS) Security [26], and a guideline to smart grid security in NIST-IR 7628. Although these recommendations are not enforce-able, they can provide guidance for analyzing the security of most utility companies.

ISA (a society of industrial automation and control systems) is developing ISA-SP 99: a security standard to be used in manufac-turing and general industrial controls.

The Department of Energy has also led security efforts by estab-lishing the national SCADA test bed program [27] and by devel-oping a 10-year outline for securing control systems in the energy sector [21]. The report–released in January 2006–identiﬁes four main goals (in order from short-term goals to long-term goals): (1) measure the current security posture of the power grid, (2) develop and integrate protective measures, (3) implement attack detection and response strategies; and (4) sustain security improvements.

The use of wireless sensor networks in SCADA systems is be-coming pervasive, and thus we also need to study their security.

A number of companies have teamed up to bring sensor networks in the ﬁeld of process control systems, and currently, there are two working groups to standardize their communications [28, 29].

Their wireless communication proposal has options to conﬁgure hop-by-hop and end-to-end conﬁdentiality and integrity mechanisms.

Similarly they provide the necessary protocols for access control and key management.

All these efforts have essentially three goals: (1) create aware-ness of security issues with control systems, (2) help control sys-tems operators and IT security ofﬁcers design a security policy, and (3) recommend basic security mechanisms for prevention (authen-tication, access controls, etc), detection, and response to security breaches.

While these recommendations and standards have placed signif-icant importance on survivability of control systems (their ability to operate while they are under attack); we believe that they have not explored some new research problems that arise when control systems are under attack.

3.2 Differences

While it is clear that the security of control systems has become an active area in recent years, we believe that, so far, no one has been able to articulate what is new and fundamentally different in this ﬁeld from a research point of view when compared to tradi-tional IT security.

In this paper we would like to start this discussion by summariz-ing some previously identiﬁed differences and by propossummariz-ing some new problems.

The property of control systems that is most commonly brought up as a distinction with IT security is that software patching and frequent updates, are not well suited for control systems. For example, upgrading a system may require months of advance in planning how to take the system ofﬂine; it is, therefore, econom-ically difﬁcult to justify suspending the operation of an industrial computer on a regular basis to install new security patches. Some security patches may even violate the certiﬁcation of control tems, or–as previously mentioned–cause accidents to control sys-tems [5].

Patching, however, is not a fundamental limitation to control sys-tems. A number of companies have demonstrated that a careful antivirus and patching policy (e.g., the use of tiered approaches) can be used successfully [30, 31]. Also, most of the major control equipment vendors now offer guidance on both patch management and antivirus deployment for their control products. Thus there is little reason for SCADA system operators not to have good patch and antivirus programs in place today [32].

Large industrial control systems also have a large amount of legacy systems. Lightweight cryptographic mechanisms to en-sure data integrity and conﬁdentiality have been proposed to se-cure these systems [33, 34]. The recent IEEE P1711 standard is designed for providing security in legacy serial links [35]. Having some small level of security is better than having no security at all;

however, we believe that most of the efforts done for legacy systems should be considered as short-term solutions. For properly secur-ing critical control systems the underlysecur-ing technology must satisfy some minimum performance requirements to allow the implemen-tation of well tested security mechanisms and standards.

Another property of control systems that is commonly mentioned is the real-time requirements of control systems. Control systems are autonomous decision making agents which need to make deci-sions in real time. While availability is a well studied problem in information security, real-time availability provides a stricter op-erational environment than most traditional IT systems. We show in this paper that real-time availability requirements depend on the dynamics (fast vs. slow) of the physical system.

Not all operational differences are more severe in control sys-tems than in traditional IT syssys-tems. By comparison to enterprise systems, control systems exhibit comparatively simpler network dynamics: Servers change rarely, there is a ﬁxed topology, a sta-ble user population, regular communication patterns, and a limited number of protocols. Therefore, implementing network intrusion detection systems, anomaly detection, and white listing may be eas-ier than in traditional enterprise systems [36].

3.3 What is new and fundamentally different?

While all these differences are important, we believe that the ma-jor distinction of control systems with respect to other IT systems is the interaction of the control system with the physical world.

While current tools from information security can give necessary mechanisms for securing control systems, these mechanisms alone are not sufﬁcient for defense-in-depth of control systems. When attackers bypass basic security defenses they may be able to affect

357

the physical world.

In particular, research in computer security has focused tradi-tionally on the protection of information; but it has not consid-ered how attacks affect estimation and control algorithms–and ulti-mately, how attacks affect the physical world.

We believe that by understanding the interactions of the control system with the physical world, we should be able to develop a general and systematic framework for securing control systems in three fundamentally new areas:

1. Better understand the consequences of an attack for risk as-sessment. While there has been previous risk assessment studies on cyber security for SCADA systems [18, 37–39], currently, there are few studies on identifying the attack strat-egy of an adversary, once it has obtained unauthorized ac-cess to some control network devices. Notable exceptions are the study of false data-injection attacks to state estima-tion in power grids [40–45], and electricity markets [46]. We need further research to understand the threat model in order to design appropriate defenses and to invest in securing the most critical sensors or actuators.

2. Design new attack-detection algorithms. By monitoring the behavior of the physical system under control, we should be able to detect a wide range of attacks by compromised mea-surements. The work closest to ours are the study of false data injection attacks in control systems [47] and the intru-sion detection models of Rrushi [48]–this last work; how-ever, does not consider dynamical models of the process con-trol system. We need further research on dynamical system models used in control theory as a tool for speciﬁcation-based intrusion detection systems.

3. Design new attack-resilient algorithms and architectures: we need to design and operate control systems to survive an in-tentional cyber assault with no loss of critical functions. Our goal is to design systems where even if attackers manage to bypass some basic security mechanisms, they will still face several control-speciﬁc security devices that will minimize the damage done to the system. In particular, we need to in-vestigate how to reconﬁgure and adapt control systems when they are under an attack to increase the resiliency of the sys-tem. We are not aware of any other work on designing new control algorithms or reconﬁguration and control algorithms able to withstand attacks, or that reconﬁgure their operations based on detected attacks. There is previous work on safety

在文檔中異質多網安全檢測平台建置計畫(III) (頁 61-68)