|
|
@@ -27,16 +27,16 @@
|
|
|
|
|
|
|
|
|
\section{Introduction}
|
|
|
- Mobile devices today have better communication capabilities. They enable dynamic and faster communication. Users are able to access internet and web applications through their smart phones anywhere, anytime. Smarter applications offer better social interaction and online presence to the users. This creates an urge to stay connected and be online seamlessly to be updated.Public infrastructures like airports, coffee shops, shopping malls provide free access to their networks to its customers to facilitate their connectivity and of course, for some information exchange. With free access to networks, attackers are now concentrating on the possibility of exploiting users in the same network. Securing open networks is very challenging and complex. It is however possible to detect these attacks. A pro-active approach for detecting the attacks is a better approach. Prevention is better than cure, as said, is to better stay away from such environments than get exploited and realize at a later stage.
|
|
|
+ Mobile devices today have better communication capabilities. They enable dynamic and faster communication. Users are able to access internet and web applications through their smart phones anywhere, anytime. Smarter applications offer better social interaction and online presence to the users. This creates an urge to stay connected and be online seamlessly to be updated.Public infrastructures like airports, coffee shops, shopping malls provide free access to their networks to its customers to facilitate their connectivity and of course, for some information exchange. With free access to networks, attackers are now concentrating on the possibility of exploiting users in the same network. Securing open networks is very challenging and complex. It is however possible to detect these attacks. A pro-active approach is a better way for detecting the attacks.
|
|
|
|
|
|
Huge industries like nuclear power plants, water treatment and distribution plants, manufacturing plants have many complex critical machines and require constant monitoring. They rely on process automation on these machines and are dependent on sensors for making this automation possible. This sensor-to-machine-to-human communication and automation is achieved with the help of PLCs\cite{Webb:1998:PLC:551899} or Programmable Logic Controllers. This communication is usually not secure and is open to attacks. As this hardware has limited computing resources, encryption of data is an expensive option. There have been many attacks detected over the years on SCADA\footnote{http://www.schneider-electric.com/solutions/ww/en/med/20340568/application/pdf/1485se-whitepaper-letter-scadaoverview-v005.pdf} ICS, most notable being STUXNET\cite{Langner:2011:SDC:1990763.1990881}. Securing and detecting attacks in these networks is necessary as it is responsible for communication in critical machines. Failure of such machines could cause a devastation to the environment and human life because of the wide spread use of PLCs in infrastructures like airports, coffee shops and also in prisons.
|
|
|
|
|
|
|
|
|
- There are two approaches for detection of attacks. One is by using a NIDS\cite{1377213} (Network Intrusion Detection System ) and the other is by using honeypot\cite{Provos:2004:VHF:1251375.1251376} . NIDS are installed on the server machines or hosts. The requests are scanned and analyzed for exploit-forged packets before they are sent to the server. NIDS are suitable for systems with high resources. The honeypot approach, rather could be used where there are lesser resources. The idea behind honeypot, is to pose as vulnerable hosts connected to the network, which could be tempting for exploits, thereby trapping the attacker by collecting as much information possible to backtrack, or good enough to detect that the network is under attack.
|
|
|
+ There are two approaches for detection of attacks. One is by using a NIDS\cite{1377213} (Network Intrusion Detection System ) and the other is by using Honeypot\cite{Provos:2004:VHF:1251375.1251376} . NIDS are installed on the server machines or hosts. The requests are scanned and analyzed for exploit-forged packets before they are sent to the server. NIDS are suitable for systems with high resources. The Honeypot approach, rather could be used where there are lesser resources. The idea behind Honeypot, is to pose as vulnerable hosts connected to the network, which could be tempting for exploits, thereby trapping the attacker by collecting as much information possible to backtrack, or good enough to detect that the network is under attack.
|
|
|
|
|
|
\subsection{Motivation}
|
|
|
|
|
|
- The applicability of a honeypot in a mobile environment is prodigious, considering the public network infrastructure services offered. Network connectivity has become more of a necessity than a luxury, as technology is continuously evolving. Better services, data management and accessibility draw a lot of users having online space and in the need to stay connected. This need is rendered by some businesses and public infrastructure like airports, malls and cafeterias. With smart phones, people have the power to stay connected and do the majority of the tasks efficiently at their fingertips. Mobile devices today are considered personal devices because of the capability to store, share and process private data. This data is valuable and private to a user and has to be secured. Connecting to public networks can result in lot of vulnerabilities, as there is not always security considered in public networks. With the help of scripts crafted to exploit these vulnerabilities, an attacker can exploit users personal data.
|
|
|
+ The applicability of a Honeypot in a mobile environment is prodigious, considering the public network infrastructure services offered. Network connectivity has become more of a necessity than a luxury, as technology is continuously evolving. Better services, data management and accessibility draw a lot of users having online space and in the need to stay connected. This need is rendered by some businesses and public infrastructure like airports, malls and cafeterias. With smart phones, people have the power to stay connected and do the majority of the tasks efficiently at their fingertips. Mobile devices today are considered personal devices because of the capability to store, share and process private data. This data is valuable and private to a user and has to be secured. Connecting to public networks can result in lot of vulnerabilities, as there is not always security considered in public networks. With the help of scripts crafted to exploit these vulnerabilities, an attacker can exploit users personal data.
|
|
|
|
|
|
|
|
|
Attacks are not limited to the above protocols. Airports, malls, enterprise hotels and huge industries use PLCs\cite{Webb:1998:PLC:551899} (Programmable Logic Controllers) as for many applications such as conveyor belts, elevators, lighting control systems, fire and safety detection systems in order to automate the tasks quickly without human intervention. PLCs can be programmed logically to specify the methods to be called, based on inputs provided by sensors. SCADA (Supervisory Control and Data Acquisition) is a system operating with coded signals over the communication channels so as to provide control of remote equipment like PLCs.
|
|
|
@@ -63,120 +63,151 @@
|
|
|
|
|
|
\subsection{Contribution}
|
|
|
|
|
|
- This theses aims at identifying and detecting the SCADA attacks using a low interaction mobile honeypot platform using which a industrial PLC will be designed and implemented. An analysis of the communication paradigm and the security loopholes in a SCADA ICS system is made, to simulate the services offered by the system.
|
|
|
+ This theses aims at identifying and detecting the SCADA attacks using a low interaction mobile Honeypot platform using which a industrial PLC will be designed and implemented. An analysis of the communication paradigm and the security loopholes in a SCADA ICS system is made, to simulate the services offered by the system.
|
|
|
The thesis also concentrates on contributing to many security related research questions of SCADA ICS systems like identifying the targets, analyzing the malware, assessing the consequences and defending ICS systems.
|
|
|
|
|
|
|
|
|
\subsection{Outline}
|
|
|
|
|
|
- This thesis topic also aims at adding more capabilities to detect attacks through different malware, mainly focussing on simulating industrial level SCADA PLC to determine malware attacks on them. The rest of the expose is structured as follows. Section 2 will specify the requirements to develop the protocol emulation for mobile honeypot. In Section 3, related work in the area of mobile honeypot and SCADA honeypot are discussed. Section 4 describes a proposed system for a mobile honeypot for ICS systems and Section 5 concludes with a time plan for the thesis.
|
|
|
+ This thesis topic also aims at adding more capabilities to detect attacks through different malware, mainly focussing on simulating industrial level SCADA PLC to determine malware attacks on them. The rest of the expose is structured as follows. Section 2 will specify the requirements to develop the protocol emulation for mobile Honeypot. In Section 3, related work in the area of mobile Honeypot and SCADA Honeypot are discussed. Section 4 describes a proposed system for a mobile Honeypot for ICS systems and Section 5 concludes with a time plan for the thesis.
|
|
|
|
|
|
|
|
|
\section{Background - ICS SCADA and Mobile Honeypots}
|
|
|
|
|
|
- ICS (Industrial Control Systems) form a dominant portion in present day industries. Strange, yet astonishing, the fact that ICS is also a part of everyday life is also true. ICS components include actuators, sensors, networking devices, controlling systems and PLC's . The sensors form a major part of ICS as they provide continuous feed of critical information which is used to automate and control other systems. The other important component is the PLC. This interface allows a programmer to implement a logic to automate the systems based on the data received from sensors. There are a few different kinds of ICS. One of the major types is SCADA (Supervisory control and data aquisition) which is deployed on geographically widespread and controlled using a central location. Examples to this type include nuclear power plants, water distribution , power distribution where there is a need constant monitoring and critical automation. SCADA systems are mainly deployed where is a need for alarm systems. The other kind of ICS system is the Distributed Control Systems (DCS). On the contrary these systems are not centralized, but distributed across a network. We shall focus more on SCADA ICS systems are they are being deployed in major infrastructures today.
|
|
|
+ ICS (Industrial Control Systems) form a dominant portion in present day industries. Strange, yet astonishing, the fact that ICS is also a part of everyday life is also true. ICS components include actuators, sensors, networking devices, controlling systems and PLC's . The sensors form a major part of ICS as they provide continuous feed of critical information which is used to automate and control other systems. The other important component is the PLC. This interface allows a programmer to implement a logic to automate the systems based on the data received from sensors. There are a few different kinds of ICS. One of the major types is SCADA (Supervisory control and data acquisition) which is deployed on geographically widespread and controlled using a central location. Examples to this type include nuclear power plants, water distribution , power distribution where there is a need constant monitoring and critical automation. SCADA systems are mainly deployed where is a need for alarm systems. The other kind of ICS system is the Distributed Control Systems (DCS). On the contrary these systems are not centralized, but distributed across a network. We shall focus more on SCADA ICS systems are they are being deployed in major infrastructures today.
|
|
|
|
|
|
Infrastructures discussed above have a lot of components and devices which need constant communication between them.
|
|
|
|
|
|
|
|
|
-\subsection{SCADA ICS}
|
|
|
+\subsection{ICS SCADA}
|
|
|
|
|
|
SCADA is an industrial automation control system at the core of many indutries today including Energy, Oil and Gas, power, Water and Recycling , Manufacturing and many more. They are used by both private sector industries and the public sector service providers. It provides the benefit of simple configuration and usability.
|
|
|
|
|
|
-The basic architecture of SCADA involves communication of information from sensors or manual inputs to PLCs or RTUs. These PLCs process the information as per the logic deployed in them and then forward this information to workstations/servers running SCADA applications. SCADA systems involve control components and network components. The following is a list of control components in SCADA:
|
|
|
+The basic architecture of SCADA involves communication of information from sensors or manual inputs to PLCs or RTUs. These PLCs process the information as per the logic deployed in them and then forward this information to workstations/servers running SCADA applications. Figure 3 describes the basic architecture of a SCADA system.
|
|
|
|
|
|
-RTU(Remote Terminal Units):These units connect to sensors in the process and convert sensor signals to digital data. They have telemetry hardware capable of sending digital data to the supervisory system, as well as receiving digital commands from the supervisory system. RTUs often have embedded control capabilities in order to accomplish boolean logic operations.
|
|
|
+ \begin{figure}[ht]
|
|
|
+ \centering
|
|
|
+ \includegraphics[scale=0.75]{SCADA-Architecture}
|
|
|
+ \caption[SCADA Architecture]{\label{f:SCADA Attack}SCADA Architecture }
|
|
|
+ \end{figure}
|
|
|
+
|
|
|
+SCADA systems involve control components and network components. The following is a list of control components in SCADA:
|
|
|
+
|
|
|
+\begin{itemize}
|
|
|
|
|
|
-Programmable logic controller (PLCs): These devices connect to sensors in the process and convert sensor signals to digital data. PLCs have more sophisticated embedded control capabilities than RTUs. PLCs do not have telemetry hardware, although this functionality is typically installed alongside them. PLCs are sometimes used in place of RTUs as field devices because they are more economical, versatile, flexible, and configurable.
|
|
|
|
|
|
-Telemetry system: It is typically used to connect PLCs and RTUs with control centers, data warehouses, and the enterprise. Examples of wired telemetry media used in SCADA systems include leased telephone lines and WAN circuits. Examples of wireless telemetry media used in SCADA systems include satellite (VSAT), licensed and unlicensed radio, cellular and microwave.
|
|
|
+\item\textbf{Remote Terminal Units (RTU):}These units connect to sensors in the process and convert sensor signals to digital data. They have telemetry hardware capable of sending digital data to the supervisory system, as well as receiving digital commands from the supervisory system. RTUs often have embedded control capabilities in order to accomplish boolean logic operations.
|
|
|
|
|
|
-Data and Control Server: A data acquisition server is a software service which uses industrial protocols to connect software services, via telemetry, with field devices such as RTUs and PLCs. It allows clients to access data from these field devices using standard protocols.
|
|
|
+\item\textbf{Programmable logic controller (PLCs):} These devices connect to sensors in the process and convert sensor signals to digital data. PLCs have more sophisticated embedded control capabilities than RTUs. PLCs do not have telemetry hardware, although this functionality is typically installed alongside them. PLCs are sometimes used in place of RTUs as field devices because they are more economical, versatile, flexible, and configurable.
|
|
|
|
|
|
-Human–Machine Interface or HMI: It is the apparatus or device which presents processed data to a human operator, and through this, the human operator monitors and interacts with the process. The HMI is a client that requests data from a data acquisition server.
|
|
|
+\item\textbf{Telemetry system:} It is typically used to connect PLCs and RTUs with control centers, data warehouses, and the enterprise. Examples of wired telemetry media used in SCADA systems include leased telephone lines and WAN circuits. Examples of wireless telemetry media used in SCADA systems include satellite (VSAT), licensed and unlicensed radio, cellular and microwave.
|
|
|
|
|
|
-Historian software: A software service which accumulates time-stamped data, boolean events, and boolean alarms in a database which can be queried or used to populate graphic trends in the HMI. The historian is a client that requests data from a data acquisition server.
|
|
|
+\item\textbf{Data and Control Server:}A data acquisition server is a software service which uses industrial protocols to connect software services, via telemetry, with field devices such as RTUs and PLCs. It allows clients to access data from these field devices using standard protocols.
|
|
|
|
|
|
+\item\textbf{Human Machine Interface (HMI):} It is the apparatus or device which presents processed data to a human operator, and through this, the human operator monitors and interacts with the process. The HMI is a client that requests data from a data acquisition server.
|
|
|
+
|
|
|
+\item\textbf{Historian software:} A software service which accumulates time-stamped data, boolean events, and boolean alarms in a database which can be queried or used to populate graphic trends in the HMI. The historian is a client that requests data from a data acquisition server.
|
|
|
+
|
|
|
+\end{itemize}
|
|
|
Different network characteristics exist for every layer within the control systems. The network topologies vary by vendors or manufacturers and also on different implementations. Modern day SCADA systems are open to Internet communication and enterprise integration can be achieved. The control networks work in hand with the corporate enterprise networks to better manage and control the systems from outside networks. The following are the major network components of an ICS network:
|
|
|
|
|
|
-Fieldbus Network: The fieldbus network links sensors and other devices to a PLC or other controller. Use of fieldbus technologies eliminates the need for point-to-point wiring between the controller and each device. The devices communicate with the fieldbus controller using a variety of protocols. The messages sent between the sensors and the controller uniquely identify each of the sensors.
|
|
|
+\begin{itemize}
|
|
|
+
|
|
|
+
|
|
|
+\item\textbf{Fieldbus Network:} The fieldbus network links sensors and other devices to a PLC or other controller. Use of fieldbus technologies eliminates the need for point-to-point wiring between the controller and each device. The devices communicate with the fieldbus controller using a variety of protocols. The messages sent between the sensors and the controller uniquely identify each of the sensors.
|
|
|
|
|
|
-Control Network: The control network connects the supervisory control level to lower-level control modules.
|
|
|
+\item\textbf{Control Network:} The control network connects the supervisory control level to lower-level control modules.
|
|
|
|
|
|
-Communications Routers: A router is a communications device that transfers messages between two networks. Common uses for routers include
|
|
|
+\item\textbf{Communications Routers:} A router is a communication device that transfers messages between two networks. Common uses for routers include
|
|
|
connecting a LAN to a WAN, and connecting MTUs and RTUs to a long-distance network medium for SCADA communication.
|
|
|
|
|
|
+\end{itemize}
|
|
|
|
|
|
-SCADA applications help in monitoring, analysing the data to help the device controllers and operators work efficiently. Modern SCADA systems allow real time data from the plants to be accessed from anywhere in the world. This also means that it provides attackers an opportunity to exploit this data and availability. Exploiting SCADA systems can cause catastrophic as it may result in huge damage to the environment and people in the plant. We try to identify the attacks and exploits that could be made and detect them using a mobile honeypot.
|
|
|
+SCADA applications help in monitoring, analysing the data to help the device controllers and operators work efficiently. Modern SCADA systems allow real time data from the plants to be accessed from anywhere in the world. This also means that it provides attackers an opportunity to exploit this data and availability. Exploiting SCADA systems can cause catastrophic as it may result in huge damage to the environment and people in the plant. We try to identify the attacks and exploits that could be made and detect them using a mobile Honeypot.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- \subsection{Security Concerns of SCADA ICS}
|
|
|
+ \subsection{Security Perspective of SCADA ICS}
|
|
|
|
|
|
- ICS SCADA systems are highly distributed. They are used to control and manage geographically dispersed plants, often scattered over thousands of kilometers. In these areas centralized data acquisition and control are critical to system operation. They are applicable in distribution systems such as water distribution and wastewater collection systems, oil and natural gas pipelines and electrical power grids.on
|
|
|
+ICS SCADA systems are highly distributed. They are used to control and manage geographically dispersed plants, often scattered over thousands of kilometers. In these areas centralized data acquisition and control are critical to system operation. They are applicable in distribution systems such as water distribution and wastewater collection systems, oil and natural gas pipelines and electrical power grids.on
|
|
|
systems. A SCADA control center provides centralized monitoring and control for field sites over long-distance communications networks, including monitoring alarms and processing status data. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as field devices. Field devices
|
|
|
control local operations such as opening and closing valves and breakers, collecting data from sensor systems, and monitoring the local environment for alarm conditions.
|
|
|
|
|
|
-As the control center is responsible for managing and controlling the devices at the field site, there is a need to have a critical communication network between them. This is usually established through the MODBUS TCP/IP over the Ethernet. It is usually advised to place the SCADA devices on a network that is not physically connected to any other networks (cite http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf).
|
|
|
+The control center is responsible for managing and controlling the devices at the field site and thus there is a need to have a critical communication network between them. This is usually established through the MODBUS TCP/IP over the Ethernet. It is usually advised to place the SCADA devices on a network that is not physically connected to any other networks (cite http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf).
|
|
|
+
|
|
|
+// Refer to paper Plausible Solution to SCADA security for more info
|
|
|
|
|
|
|
|
|
\subsection{Honeypots}
|
|
|
|
|
|
|
|
|
- A Honeypot is a decoy server or a system in a network which is closely monitored for adversaries. They are mostly deployed inside firewalls, but they could be deployed in any part of the network. It is designed to be a system with vulnerabilities and services that are offered by a real target system. Any attempt to connect to these systems could be considered as an attack. All the activities are logged and further traced. The general idea is that once an adversaryu detects a vulnerable system and tries to attack it, he would come back with more sophisticated attacks. The initial part of discovery and knowing the general services and loopholes is called system social engineering.
|
|
|
+A Honeypot is a decoy server or a system in a network which is closely monitored for adversaries. It is also defined as:
|
|
|
+\textit{A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource}. (//cite https://www.acsac.org/2003/papers/spitzner.pdf). They are mostly deployed inside firewalls, but they could be deployed in any part of the network. It is designed to be a system with vulnerabilities and services that are offered by a real target system. Any attempt to connect to these systems could be considered as an attack. All the activities are logged and further traced. The general idea is that once an adversary detects a vulnerable system and tries to attack it, he would come back with more sophisticated attacks. The initial part of discovery and knowing the general services and loopholes is called system social engineering.
|
|
|
Honeypots provide are active monitoring components that wait for attacks and respond to the attacks by luring the attacker to pursue more.
|
|
|
|
|
|
There are certain main functionalities that the Honeypots must possess in order to perform their main functionality.
|
|
|
|
|
|
-1. Honeypots must simulate the system that they are intend to focus on. This gives the attacker a feeling of approaching a real system. The honeypot may simulate the complete functionality of the system orr just the services offered by the system.
|
|
|
+\begin{enumerate}
|
|
|
+\item Honeypots must simulate the system that they are intend to focus on. This gives the attacker a feeling of approaching a real system. The Honeypot may simulate the complete functionality of the system or just the services offered by the system.
|
|
|
|
|
|
-2. A proper response mechanism which keeps the attacker engaged to the honeypot. This makes better logging of the attack and also provides more data to analyze the attacks.
|
|
|
+\item A proper response mechanism which keeps the attacker engaged to the Honeypot. This makes better logging of the attack and also provides more data to analyze the attacks.
|
|
|
|
|
|
-3.
|
|
|
+\item It mainly has three perspectives. Firstly, an attacker perspective, by posing as a vulnerable system; second an administrator who can log identify and log the attacks made by the attacker and third, being able to present and analyse the attacks logged by the administrator.
|
|
|
|
|
|
+\end{enumerate}
|
|
|
|
|
|
|
|
|
+ //Explain about Honeypots
|
|
|
|
|
|
+
|
|
|
+ There has been extensive research going on in the field of Honeypots. This section describes related works on Honeypots.
|
|
|
+
|
|
|
+ Early research on Mobile Honeypots focused only on Bluetooth communications[5,17]. The continuous advances in the field of smartphone technology has enabled better opportunities towards Honeypot research on smart phones.
|
|
|
+ There has been existing work that focused on detection of mobile specific malware. The first to discuss the idea of a Honeypot for smartphones were Mulliner et al., by providing the initial ideas, challenges and an architecture for their proposed system\cite{mulliner2011poster}. Nomadic Honeypots\cite{Liebergeld_nomadichoneypots:} concentrates on mobile specific malware and also trades off with a lot of personal information.
|
|
|
+
|
|
|
+\subsubsection {Types of Honeypots }
|
|
|
|
|
|
- It mainly has three perspectives. Firstly, an attacker perspective, by posing as a vulnerable system; second an administrator who can log identify and log the attacks made by the attacker and third, being able to present and analyse the attacks logged by the administrator.
|
|
|
+Honeypots can be classified into two types based on the ability of the attacker to interact with the application or services. They can be divided to High-Interaction Honeypots or Low-Interaction Honeypots
|
|
|
|
|
|
|
|
|
|
|
|
+\subsubsection {Honeynets}
|
|
|
|
|
|
- //Explain about Honeypots
|
|
|
|
|
|
-
|
|
|
- There has been extensive research going on in the field of honeypots. This section describes related works on honeypots.
|
|
|
-
|
|
|
- Early research on mobile honeypots focused only on Bluetooth communications[5,17]. The continuous advances in the field of smartphone technology has enabled better opportunities towards honeypot research on smart phones.
|
|
|
- There has been existing work that focused on detection of mobile specific malware. The first to discuss the idea of a honeypot for smartphones were Mulliner et al., by providing the initial ideas, challenges and an architecture for their proposed system\cite{mulliner2011poster}. Nomadic Honeypots\cite{Liebergeld_nomadichoneypots:} concentrates on mobile specific malware and also trades off with a lot of personal information.
|
|
|
-
|
|
|
-//make sub subsection types of honeypots
|
|
|
-//make sub subsection Honeynets
|
|
|
-//make sub subsection Mobile Honeypots
|
|
|
- //List ablout HosTaGe and other related work on mobile Honeypots
|
|
|
-
|
|
|
- HosTaGe\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a mobile honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified.
|
|
|
-
|
|
|
|
|
|
+\subsubsection {Mobile Honeypots}
|
|
|
|
|
|
-
|
|
|
+
|
|
|
+ //Write about Mobile Honeypots
|
|
|
+
|
|
|
+
|
|
|
+ //List about HosTaGe and other related work on mobile Honeypots
|
|
|
+
|
|
|
+ HosTaGe\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a Mobile Honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified.
|
|
|
+
|
|
|
+
|
|
|
|
|
|
\subsection{SCADA Honeypots}
|
|
|
- Trend Micro a global security software company conducted an experiment\footnote{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf} to detect attacks on SCADA by setting up 12 honeypots in 8 countries. The honeypots camouflaged a municipal water control system based on SCADA that was connected to the internet. Attacks were basically focussed on meddling with the pump system. The objective of this experiment is to assess who/what is attacking Internet-facing ICS/SCADA(Industrial Control Systems) devices and why. In addition, the research set out to identify if the attacks performed on these systems were targeted, by whom, and for what purpose.
|
|
|
+ Trend Micro a global security software company conducted an experiment\footnote{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf} to detect attacks on SCADA by setting up 12 Honeypots in 8 countries. The Honeypots camouflaged a municipal water control system based on SCADA that was connected to the internet. Attacks were basically focussed on meddling with the pump system. The objective of this experiment is to assess who/what is attacking Internet-facing ICS/SCADA(Industrial Control Systems) devices and why. In addition, the research set out to identify if the attacks performed on these systems were targeted, by whom, and for what purpose.
|
|
|
|
|
|
- The honeypot architecture design used a combination of high-interaction and pure-production honeypots. A total of three honeypots were created to ensure as much of the target surface as possible. All three honeypots were Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the United States.
|
|
|
+ The Honeypot architecture design used a combination of high-interaction and pure-production Honeypots. A total of three Honeypots were created to ensure as much of the target surface as possible. All three Honeypots were Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the United States.
|
|
|
+
|
|
|
+
|
|
|
+\subsubsection {PLC Honeynet}
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
|
|
|
|
|
|
-//make sub subsection PLC Honeynet
|
|
|
-//make sub subsection Digital Bond
|
|
|
-//make sub subsection SCADA Honeynet
|
|
|
-SCADA Honeynet Project\cite{5198796} is a project aimed at building honeypots for industrial networks. The industrial hardware include PLCs which also form the backbone of their automation systems.SCADA Honeynet was designed to simulate the PLCs and detect attacks performed on them.The short-term goal of the project was to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures.
|
|
|
+\subsubsection {Digital Bond}
|
|
|
+\subsubsection {SCADA Honeynet}
|
|
|
+SCADA Honeynet Project\cite{5198796} is a project aimed at building Honeypots for industrial networks. The industrial hardware include PLCs which also form the backbone of their automation systems.SCADA Honeynet was designed to simulate the PLCs and detect attacks performed on them.The short-term goal of the project was to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures.
|
|
|
|
|
|
-//make sub subsection Conpot
|
|
|
-Conpot\footnote{http://conpot.org/} is a low interactive server side ICS honeypot designed to be easy to deploy, modify and extend. It provides a range of common industrial control protocols capable of emulating complex infrastructures to convince an adversary that he just found a huge industrial complex.To improve the deceptive capabilities it also provides the possibility to server a custom human machine interface to increase the honeypots attack surface. The default configuration of Conpot simulates a basic Siemens SIMATIC S7-200 PLC with an input/output module.
|
|
|
+\subsubsection {Conpot}
|
|
|
+Conpot\footnote{http://conpot.org/} is a low interactive server side ICS Honeypot designed to be easy to deploy, modify and extend. It provides a range of common industrial control protocols capable of emulating complex infrastructures to convince an adversary that he just found a huge industrial complex.To improve the deceptive capabilities it also provides the possibility to server a custom human machine interface to increase the Honeypots attack surface. The default configuration of Conpot simulates a basic Siemens SIMATIC S7-200 PLC with an input/output module.
|
|
|
|
|
|
|
|
|
|
|
|
@@ -185,14 +216,16 @@ Conpot\footnote{http://conpot.org/} is a low interactive server side ICS honeypo
|
|
|
MODBUS denoted IETF RFC 2026 is a serial communications protocol published by Modicon for using in its PLCs. It is now a standard that connects industrial devices together. The basic configuration involves connecting a SCADA supervisory control system to a PLC or RTU. Many of the data types are named from its use in driving relays: a single-bit physical output is called a coil, and a single-bit physical input is called a discrete input or a contact. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.
|
|
|
MODBUS TCP/IP specification was introduced to MODBUS to integrate corporate intranet with PLC systems. This made the network better manageable, scalable and also cost-effective.MODBUS TCP/IP offers many advantages:
|
|
|
|
|
|
-Simplicity: The TCP is wrapped with MODBUS instruction set. The setup involves simple driver initialization at end devices to communicate. Low development cost, hardware and compatibility with many OS makes it simple.
|
|
|
+\begin{itemize}
|
|
|
|
|
|
-Standard Ethernet: Ethernet ingrates easily into simple chipsets and boards. The cost of implementing Ethernet to MODBUS is low and also provides ample resources as there are many developers are working on optimizing the technology. Ethernet port 502 is used by the MODBUS TCP/IP protocol.
|
|
|
+\item\textbf{Simplicity:} The TCP is wrapped with MODBUS instruction set. The setup involves simple driver initialization at end devices to communicate. Low development cost, hardware and compatibility with many OS makes it simple.
|
|
|
|
|
|
-Open: The MODBUS protocol has been open source since 2004 and a dedicated organization working towards develpoment,optimization and maintenance.
|
|
|
+\item\textbf{Standard Ethernet:} Ethernet ingrates easily into simple chipsets and boards. The cost of implementing Ethernet to MODBUS is low and also provides ample resources as there are many developers are working on optimizing the technology. Ethernet port 502 is used by the MODBUS TCP/IP protocol.
|
|
|
|
|
|
-Compatibility: MODBUS provides interoperability among various vendors and also compatibilty with devices of other manufactureres.
|
|
|
+\item\textbf{Open:} The MODBUS protocol has been open source since 2004 and a dedicated organization working towards develpoment,optimization and maintenance.
|
|
|
|
|
|
+\item\textbf{Compatibility:} MODBUS provides interoperability among various vendors and also compatibilty with devices of other manufactureres.
|
|
|
+\end{itemize}
|
|
|
|
|
|
MODBUS TCP/IP is an Internet protocol. This makes the devices open to the Internet. This was a particular feature thhat was incorporated to facilitate better control and making device maintenance through remote systems over the internet. MODBUS is also industrial networks protocol and the industries are geographically separated. MODBUS TCP/IP helps in better management of distributed industrial systems throughout the world.
|
|
|
|
|
|
@@ -206,8 +239,8 @@ MODBUS TCP/IP is an Internet protocol. This makes the devices open to the Intern
|
|
|
|
|
|
\section{Proposed System}
|
|
|
|
|
|
- In this work, a low interaction mobile honeypot mechanism to simulate industrial PLC will be designed and implemented. The design also aims at detecting attacks and making inferences about the attackers and attacks. The final version will be integrated to the HosTaGe app along with the other advanced mechanisms that HosTaGe already provides to its users.
|
|
|
- As the proposed system deals with implementing a low interaction honeypot, the challenge involves implementing only the essential components or services, that satisfy the discovery and vulnerability to attack them, for example, the network stack. Along with basic attack detection, the system must also have a short response time, robust design to withstand the attacks and also maintain a log of the exploit for further analysis and backtracking. An attempt will be made to detect attacks forged with popular identified worms like STUXNET. The conclusions on the attacks made will be pushed on to a central repository where the details of the attack are made public for users worldwide. The overlay of the proposed system, mechanisms and the evaluation are followed below.
|
|
|
+ In this work, a low interaction Mobile Honeypot mechanism to simulate industrial PLC will be designed and implemented. The design also aims at detecting attacks and making inferences about the attackers and attacks. The final version will be integrated to the HosTaGe app along with the other advanced mechanisms that HosTaGe already provides to its users.
|
|
|
+ As the proposed system deals with implementing a low interaction Honeypot, the challenge involves implementing only the essential components or services, that satisfy the discovery and vulnerability to attack them, for example, the network stack. Along with basic attack detection, the system must also have a short response time, robust design to withstand the attacks and also maintain a log of the exploit for further analysis and backtracking. An attempt will be made to detect attacks forged with popular identified worms like STUXNET. The conclusions on the attacks made will be pushed on to a central repository where the details of the attack are made public for users worldwide. The overlay of the proposed system, mechanisms and the evaluation are followed below.
|
|
|
|
|
|
|
|
|
\section{System Design}
|
|
|
@@ -244,7 +277,7 @@ The Siemens S7 200 is a micro-programmable logic controller which can control a
|
|
|
\subsection{Attack Data analysis}
|
|
|
\subsection{Conpot and HosTaGe attack comparison}
|
|
|
\subsection{Vulnerabilities of Siemens S7200}
|
|
|
- \subsection{HosTaGe Performance Evaluation}
|
|
|
+ \subsection{HosTaGe ICS - Performance Evaluation as an Android App}
|
|
|
\subsection{Observation and Analysis}
|
|
|
|
|
|
|
