|
@@ -63,7 +63,7 @@
|
|
|
|
|
|
\subsection{Contribution}
|
|
|
|
|
|
- This theses aims at identifying and detecting the SCADA attacks using a low interaction mobile Honeypot platform using which a industrial PLC will be designed and implemented. An analysis of the communication paradigm and the security loopholes in a SCADA ICS system is made, to simulate the services offered by the system.
|
|
|
+ This theses aims at identifying and detecting the SCADA attacks using a low interaction mobile Honeypot platform using which a industrial master and slave profiiles will be simualted. An analysis of the communication paradigm and the security loopholes in a SCADA ICS system is made, to simulate the services offered by the system.
|
|
|
The thesis also concentrates on contributing to many security related research questions of SCADA ICS systems like identifying the targets, analyzing the malware, assessing the consequences and defending ICS systems.
|
|
|
|
|
|
|
|
@@ -74,7 +74,7 @@
|
|
|
|
|
|
\section{Background - ICS SCADA and Mobile Honeypots}
|
|
|
|
|
|
- ICS (Industrial Control Systems) form a dominant portion in present day industries. Strange, yet astonishing, the fact that ICS is also a part of everyday life is also true. ICS components include actuators, sensors, networking devices, controlling systems and PLC's . The sensors form a major part of ICS as they provide continuous feed of critical information which is used to automate and control other systems. The other important component is the PLC. This interface allows a programmer to implement a logic to automate the systems based on the data received from sensors. There are a few different kinds of ICS. One of the major types is SCADA (Supervisory control and data acquisition) which is deployed on geographically widespread and controlled using a central location. Examples to this type include nuclear power plants, water distribution , power distribution where there is a need constant monitoring and critical automation. SCADA systems are mainly deployed where is a need for alarm systems. The other kind of ICS system is the Distributed Control Systems (DCS). On the contrary these systems are not centralized, but distributed across a network. We shall focus more on SCADA ICS systems are they are being deployed in major infrastructures today.
|
|
|
+ ICS (Industrial Control Systems) form a dominant portion in present day industries. Strange, yet astonishing, the fact that ICS is also a part of everyday life is also true. ICS components include actuators, sensors, networking devices, controlling systems and PLC's . The sensors form a major part of ICS as they provide continuous feed of critical information which is used to automate and control other systems. The other important component is the PLC. This interface allows a programmer to implement a logic to automate the systems based on the data received from sensors. There are a few different kinds of ICS. One of the major types is SCADA (Supervisory control and data acquisition) which is deployed on geographically widespread and controlled using a central location. Examples to this type include nuclear power plants, water distribution , power distribution where there is a need constant monitoring and critical automation. SCADA systems are mainly deployed where is a need for alarm systems. The other kind of ICS system is the Distributed Control Systems (DCS). On the contrary these systems are not centralized, but distributed across a network. We shall focus more on SCADA ICS systems as they are being deployed in major infrastructures today.
|
|
|
|
|
|
Infrastructures discussed above have a lot of components and devices which need constant communication between them.
|
|
|
|
|
@@ -118,18 +118,13 @@ Different network characteristics exist for every layer within the control syste
|
|
|
|
|
|
\item\textbf{Control Network:} The control network connects the supervisory control level to lower-level control modules.
|
|
|
|
|
|
-\item\textbf{Communications Routers:} A router is a communication device that transfers messages between two networks. Common uses for routers include
|
|
|
-connecting a LAN to a WAN, and connecting MTUs and RTUs to a long-distance network medium for SCADA communication.
|
|
|
+\item\textbf{Communications Routers:} A router is a communication device that transfers messages between two networks. Common uses for routers include connecting a LAN to a WAN, and connecting MTUs and RTUs to a long-distance network medium for SCADA communication.
|
|
|
|
|
|
\end{itemize}
|
|
|
|
|
|
SCADA applications help in monitoring, analysing the data to help the device controllers and operators work efficiently. Modern SCADA systems allow real time data from the plants to be accessed from anywhere in the world. This also means that it provides attackers an opportunity to exploit this data and availability. Exploiting SCADA systems can cause catastrophic as it may result in huge damage to the environment and people in the plant. We try to identify the attacks and exploits that could be made and detect them using a mobile Honeypot.
|
|
|
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
- \subsection{Security Perspective of SCADA ICS}
|
|
|
+\subsection{Security Perspective of SCADA ICS}
|
|
|
|
|
|
ICS SCADA systems are highly distributed. They are used to control and manage geographically dispersed plants, often scattered over thousands of kilometers. In these areas centralized data acquisition and control are critical to system operation. They are applicable in distribution systems such as water distribution and wastewater collection systems, oil and natural gas pipelines and electrical power grids.on
|
|
|
systems. A SCADA control center provides centralized monitoring and control for field sites over long-distance communications networks, including monitoring alarms and processing status data. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as field devices. Field devices
|
|
@@ -140,7 +135,7 @@ The control center is responsible for managing and controlling the devices at th
|
|
|
// Refer to paper Plausible Solution to SCADA security for more info
|
|
|
|
|
|
|
|
|
- \subsection{Honeypots}
|
|
|
+\subsection{Honeypots}
|
|
|
|
|
|
|
|
|
A Honeypot is a decoy server or a system in a network which is closely monitored for adversaries. It is also defined as:
|
|
@@ -183,11 +178,10 @@ It is very clear are valued because of the interaction mechanism that they provi
|
|
|
|
|
|
\item\textbf{Minimal Resource Consumption:} Honeypots can run on low resource machines as they are just simulations and are may not depict full functionality of the system simulated. Honeypots today can run on smartphones as they possess the required resources which are good enough to run a Honeypot.
|
|
|
|
|
|
-
|
|
|
+\end{itemize}
|
|
|
There has been extensive research going on in the field of Honeypots. This section describes related works on Honeypots.
|
|
|
|
|
|
-Early research on Mobile Honeypots focused only on Bluetooth communications[5,17]. The continuous advances in the field of smartphone technology has enabled better opportunities towards Honeypot research on smart phones.
|
|
|
-
|
|
|
+
|
|
|
|
|
|
\subsubsection {Types of Honeypots }
|
|
|
|
|
@@ -197,7 +191,7 @@ A low interaction honeypot on the other hand is a software based or simulation b
|
|
|
|
|
|
\subsubsection {Honeynets}
|
|
|
|
|
|
-Honeynets are a networked collection of honeypots that look like common network services and servers. (Provos & Holz, Virtual Honeypots: From Botnet Tracking to Intrusion Detection , 2008).
|
|
|
+Honeynets are a networked collection of honeypots that look like common network services and servers. (Provos and Holz, Virtual Honeypots: From Botnet Tracking to Intrusion Detection , 2008).
|
|
|
It could be a collection of Honeypots depicting as a Domain Controller, web server, application server, file server and so on which provide a facade of a enterprise network. Honeynets
|
|
|
usually consist of high -interaction honeypots, low - interaction honeypots, or a combination of both. Using high interaction Honeypots only for this approach would be more expensive.
|
|
|
Honeynets are placed behind a Honeywall , which acts as a bridge to the honeynet. It includes network monitoring, packet capture, and IDS capabilities.
|
|
@@ -212,15 +206,9 @@ The power of mobility, computing resources, usability and flexibility make Mobil
|
|
|
|
|
|
Such capabilities make it possible to host a low interaction Honeypot on the devices.
|
|
|
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
Some researchers believe that Mobile Honeypots are still not well defined. (http://conferences.sigcomm.org/sigcomm/2012/paper/sigcomm/p305.pdf)
|
|
|
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
+Early research on Mobile Honeypots focused only on Bluetooth communications[5,17]. The continuous advances in the field of smartphone technology has enabled better opportunities towards Honeypot research on smart phones.
|
|
|
|
|
|
//Write about Mobile Honeypots
|
|
|
There has been existing work that focused on detection of mobile specific malware. The first to discuss the idea of a Honeypot for smartphones were Mulliner et al., by providing the initial ideas, challenges and an architecture for their proposed system\cite{mulliner2011poster}. Nomadic Honeypots\cite{Liebergeld_nomadichoneypots:} concentrates on mobile specific malware and also trades off with a lot of personal information.
|
|
@@ -236,8 +224,12 @@ There has been existing work that focused on detection of mobile specific malwar
|
|
|
Analysing the security concerns of ICS SCADA systems and the advantages of Honeypots, a solution could be implemented to combine the needs and features. SCADA Honeypots could be deployed in ICS Networks for monitoring and analysis. They act as an additional line of defense providing warnings and notifications for attacks. Designing a SCADA Honeypot involves studying the architecture of the SCADA systems and the components, protocols involved in communication and processing of data. Further, as discussed before, SCADA networks comprise of hardware devices like PLCs and RTUs which play a very critical role in processing and communication of data. SCADA systems rely on PLCs for data processing. If PLCs are targeted by attackers to compromise their working, it could bring down the entire plant, hereby resulting in a huge catastrophe. Modern day PLCs offer TCP/IP communication which can used to control and manage the data flow between other PLCs and control servers. On investigating attacks that have occured in the past, STUXNET a malware, was found to be injected in a Nuclear Enrichment Facility in Iran. STUXNET was found to be injected into the network using a USB drive to one of the host control systems. The malware spread from that system to other systems through intranet and remained hidden from operators. STUXNET was able to interfere with the working of a PLC that controlled centrifuges and managed to compromise the conditions on which the PLC depends. It was only by the observation of an operator that the PLC was causing the centrifuges to run more fast than usual was detected. But nobody could determine what caused the centrifuges run abnormally.
|
|
|
|
|
|
Detecting such kinds of attacks is not only complex but also very necessary. Such kind of attacks cannot be detected neither by signature based systems, nor by firewalls. Some organisations took initiative to design Honeypots for SCADA systems. They are elaborated in futher secctions.
|
|
|
+
|
|
|
+
|
|
|
+\subsubsection {SCADA Honeynet}
|
|
|
+SCADA Honeynet Project\cite{5198796} is a project aimed at building Honeypots for industrial networks. It was the theb first of the type. SCADA Honeynet was designed to simulate the PLCs and detect attacks performed on them.The short-term goal of the project was to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures. It provided scriptable industrial protocol simulators to test actual protocol implementation. The design was a ingration of stack level, protocol level, application level and hardware level. The Honeypot was carefully designed to cover all the services offered by the SCADA systems, including the networking devices like routers and a direct serial device.
|
|
|
|
|
|
-\subsubsection {Trend Micro SCADA Homeypot}
|
|
|
+\subsubsection {Trend Micro SCADA Honeypot}
|
|
|
|
|
|
Trend Micro a global security software company conducted an experiment\footnote{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf} to detect attacks on SCADA by setting up 12 Honeypots in 8 countries. The Honeypots camouflaged a municipal water control system based on SCADA that was connected to the internet. Attacks were basically focussed on meddling with the pump system. The objective of this experiment is to assess who/what is attacking Internet-facing ICS/SCADA(Industrial Control Systems) devices and why. In addition, the research set out to identify if the attacks performed on these systems were targeted, by whom, and for what purpose.
|
|
|
|
|
@@ -248,8 +240,6 @@ Trend Micro a global security software company conducted an experiment\footnote{
|
|
|
Digital Bond is a security research and consulting firm created a Honeypott system that comprised of two virtual machines. It is open source. One of the virtual machine acts as a PLC Honeypot and the other is a monitoring engine that logs all the traffic information. This system is also called a Honeywall. Honeywalls can also be used to monitor High Interaction PLC Honeypots. The Honeywall comprises of Snort IDS and signatures with respect to PLC. The services that are simulated are FTP, TELNET, HTTP, SNMP and MODBUS TCP.
|
|
|
|
|
|
|
|
|
-\subsubsection {SCADA Honeynet}
|
|
|
-SCADA Honeynet Project\cite{5198796} is a project aimed at building Honeypots for industrial networks. The industrial hardware include PLCs which also form the backbone of their automation systems.SCADA Honeynet was designed to simulate the PLCs and detect attacks performed on them.The short-term goal of the project was to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures.
|
|
|
|
|
|
\subsubsection {Conpot}
|
|
|
Conpot\footnote{http://conpot.org/} is a low interactive server side ICS Honeypot designed to be easy to deploy, modify and extend. It provides a range of common industrial control protocols capable of emulating complex infrastructures to convince an adversary that he just found a huge industrial complex.To improve the deceptive capabilities it also provides the possibility to server a custom human machine interface to increase the Honeypots attack surface. The default configuration of Conpot simulates a basic Siemens SIMATIC S7-200 PLC with an input/output module.
|
|
@@ -269,7 +259,8 @@ MODBUS TCP/IP specification was introduced to MODBUS to integrate corporate intr
|
|
|
|
|
|
\item\textbf{Open:} The MODBUS protocol has been open source since 2004 and a dedicated organization working towards develpoment,optimization and maintenance.
|
|
|
|
|
|
-\item\textbf{Compatibility:} MODBUS provides interoperability among various vendors and also compatibilty with devices of other manufactureres.
|
|
|
+\item\textbf{Compatibility:} MODBUS provides interoperability among various vendors and also compatibilty with devices of other manufacturers.
|
|
|
+
|
|
|
\end{itemize}
|
|
|
|
|
|
MODBUS TCP/IP is an Internet protocol. This makes the devices open to the Internet. This was a particular feature that was incorporated to facilitate better control and making device maintenance through remote systems over the internet. MODBUS is also industrial networks protocol and the industries are geographically separated. MODBUS TCP/IP helps in better management of distributed industrial systems throughout the world.
|
|
@@ -288,7 +279,7 @@ MODBUS TCP/IP is an Internet protocol. This makes the devices open to the Intern
|
|
|
|
|
|
The discovery and identification of the PLC in the network can be through a network nmap scan that reveals information about the host name, ports 21, 80 and 502(Modbus) open.
|
|
|
|
|
|
- The main objective is to detect attacks made using the Modbus port. A logging mechanism logs the information about the attacker in pursuit.
|
|
|
+ The main objective is to detect attacks made using the protocols offered by the Siemens Simati S7 200 PLC . A logging mechanism logs the information about the attacker in pursuit.
|
|
|
|
|
|
|
|
|
\subsection{Architecture of Siemens SIMATIC s7 200}
|
|
@@ -297,6 +288,8 @@ The Siemens S7 200 is a micro-programmable logic controller which can control a
|
|
|
|
|
|
\subsection{Protocols}
|
|
|
|
|
|
+
|
|
|
+
|
|
|
\subsection{Design of HosTaGe ICS Honeypot}
|
|
|
|
|
|
\subsection{Perspective}
|