|
|
@@ -22,10 +22,9 @@
|
|
|
\tuprints{12345}
|
|
|
\makethesistitle
|
|
|
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
|
|
|
+
|
|
|
+ \newpage
|
|
|
\section{Introduction}
|
|
|
Mobile devices today have better communication capabilities. They enable dynamic and faster communication. Users are able to access internet and web applications through their smart phones anywhere, anytime. Smarter applications offer better social interaction and online presence to the users. This creates an urge to stay connected and be online seamlessly to be updated.Public infrastructures like airports, coffee shops, shopping malls provide free access to their networks to its customers to facilitate their connectivity and of course, for some information exchange. With free access to networks, attackers are now concentrating on the possibility of exploiting users in the same network. Securing open networks is very challenging and complex. It is however possible to detect these attacks. A pro-active approach is a better way for detecting the attacks.
|
|
|
|
|
|
@@ -71,12 +70,12 @@
|
|
|
|
|
|
This thesis topic also aims at adding more capabilities to detect attacks through different malware, mainly focussing on simulating industrial level SCADA PLC to determine malware attacks on them. The rest of the expose is structured as follows. Section 2 will specify the requirements to develop the protocol emulation for mobile Honeypot. In Section 3, related work in the area of mobile Honeypot and SCADA Honeypot are discussed. Section 4 describes a proposed system for a mobile Honeypot for ICS systems and Section 5 concludes with a time plan for the thesis.
|
|
|
|
|
|
-
|
|
|
+ \newpage
|
|
|
\section{Background - ICS SCADA and Mobile Honeypots}
|
|
|
|
|
|
ICS (Industrial Control Systems) form a dominant portion in present day industries. Strange, yet astonishing, the fact that ICS is also a part of everyday life is also true. ICS components include actuators, sensors, networking devices, controlling systems and PLC's . The sensors form a major part of ICS as they provide continuous feed of critical information which is used to automate and control other systems. The other important component is the PLC. This interface allows a programmer to implement a logic to automate the systems based on the data received from sensors. There are a few different kinds of ICS. One of the major types is SCADA (Supervisory control and data acquisition) which is deployed on geographically widespread and controlled using a central location. Examples to this type include nuclear power plants, water distribution , power distribution where there is a need constant monitoring and critical automation. SCADA systems are mainly deployed where is a need for alarm systems. The other kind of ICS system is the Distributed Control Systems (DCS). On the contrary these systems are not centralized, but distributed across a network. We shall focus more on SCADA ICS systems as they are being deployed in major infrastructures today.
|
|
|
|
|
|
- Infrastructures discussed above have a lot of components and devices which need constant communication between them.
|
|
|
+ Infrastructures discussed above have a lot of components and devices which need constant communication between them. // Complete this para
|
|
|
|
|
|
|
|
|
\subsection{ICS SCADA}
|
|
|
@@ -132,7 +131,7 @@ control local operations such as opening and closing valves and breakers, collec
|
|
|
|
|
|
The control center is responsible for managing and controlling the devices at the field site and thus there is a need to have a critical communication network between them. This is usually established through the MODBUS TCP/IP over the Ethernet. It is usually advised to place the SCADA devices on a network that is not physically connected to any other networks (cite http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf).
|
|
|
|
|
|
-// Refer to paper Plausible Solution to SCADA security for more info
|
|
|
+// Refer to paper Plausible Solution to SCADA security for more info
|
|
|
|
|
|
|
|
|
\subsection{Honeypots}
|
|
|
@@ -278,13 +277,13 @@ MODBUS TCP/IP specification was introduced to MODBUS to integrate corporate intr
|
|
|
MODBUS TCP/IP is an Internet protocol. This makes the devices open to the Internet. This was a particular feature that was incorporated to facilitate better control and making device maintenance through remote systems over the internet. MODBUS is also industrial networks protocol and the industries are geographically separated. MODBUS TCP/IP helps in better management of distributed industrial systems throughout the world.
|
|
|
|
|
|
|
|
|
-
|
|
|
+ \newpage
|
|
|
\section{Proposed System}
|
|
|
|
|
|
In this work, a low interaction Mobile Honeypot mechanism to simulate industrial PLC will be designed and implemented. The design also aims at detecting attacks and making inferences about the attackers and attacks. The final version will be integrated to the HosTaGe app along with the other advanced mechanisms that HosTaGe already provides to its users.
|
|
|
As the proposed system deals with implementing a low interaction Honeypot, the challenge involves implementing only the essential components or services, that satisfy the discovery and vulnerability to attack them, for example, the network stack. Along with basic attack detection, the system must also have a short response time, robust design to withstand the attacks and also maintain a log of the exploit for further analysis and backtracking. An attempt will be made to detect attacks forged with popular identified worms like STUXNET. The conclusions on the attacks made will be pushed on to a central repository where the details of the attack are made public for users worldwide. The overlay of the proposed system, mechanisms and the evaluation are followed below.
|
|
|
|
|
|
-
|
|
|
+ \newpage
|
|
|
\section{System Design}
|
|
|
|
|
|
HosTaGe has implemented mechanisms to emulate different kind of hosts like a windows host, linux host, webserver, FTP server, SSH server and more. The simulation of industrial level SCADA based PLC will be added to the the existing list of simulated hosts and services. To simulate PLCs it is important to understand their communication and control infrastructure. PLCs have network interfaces that support Ethernet, TCP/IP, MODBUS\cite{4627171}, DeviceNet\cite{898793}, ControlNet\cite{898793}, Foundation Fieldbus\cite{1435740}. The manufacturers have their own in built shells to support FTP commands. The Ethernet communication module of the PLC typically runs an embedded operating system that includes standard network protocol as well as implementations of industrial network protocols such as Modbus/TCP or EtherNet/IP. Telnet and FTP servers are common and have identifying information which can be used to determine the vendor and version of software. The network components that need to be simulated in a PLC are the TCP/IP stack, Modbus/TCP server, FTP server, Telnetd server and a HTTP web server which provides an interface to manage the functioning and control of PLC.
|
|
|
@@ -308,21 +307,39 @@ The Simatic S7 PLC is also subjected to various vulnerabilities and attacks incl
|
|
|
\subsection{Protocols}
|
|
|
|
|
|
|
|
|
-The Siemens SIMATIC S7 supports (MODBUS TCP), HTTP, TELNET, FTP, SNMP, SMTP, MODBUS and S7Comm protocols
|
|
|
+The Siemens SIMATIC S7 supports a wide range of protocols which include MODBUS/PROFIBUS TCP, HTTP, TELNET, FTP, SNMP, SMTP and S7Comm. MODBUS TCP and S7Comm are the communication protocols and the rest of the protocols are enabled as added features.
|
|
|
+
|
|
|
+\begin{itemize}
|
|
|
+
|
|
|
+\item\textbf{HTTP:}The HTTP server hosts a mini web server which enables hosting the data values and sensor readings as a web page. This page can be accessed on port 80 of the PLCs IP address.
|
|
|
|
|
|
+\item\textbf{TELNET:} TELNET provides command and control to the target remote devices. It enables file system based commands and directory listing.
|
|
|
|
|
|
- \subsection{Design of HosTaGe ICS Honeypot}
|
|
|
+\item\textbf{FTP:} FTP provides file transfer and communication between end devices. These are usually files containing sensor readings and logs.
|
|
|
+
|
|
|
+\item\textbf{SNMP:} SNMP is responsible for monitoring and control.
|
|
|
+
|
|
|
+\item\textbf{SMTP:} SMPTP is mainly enabled for notification servivce in case of device failure or data inconsistency.
|
|
|
+
|
|
|
+\item\textbf{MODBUS/PROFIBUS TCP:} MODBUS TCP acts as a strong communication mechanism between the slaves and the master devices. It forms a backbone for industrial systems automation. The protocol is used for communication exchange between PLCs and control systems.
|
|
|
+
|
|
|
+\item\textbf{S7Comm:} S7comm is a proprietery protocol from Siemens that communicates between programmable logic controllers (PLCs) of the Siemens Simatic family.
|
|
|
+
|
|
|
+\end{itemize}
|
|
|
+
|
|
|
+
|
|
|
|
|
|
\subsection{Perspective}
|
|
|
Make points of Adversary Perspective and Administrator Perspective
|
|
|
|
|
|
- Honeypots as stated above are active entities that capture attacks targeted at them. They must be designed carefully considering the services and vulnerabilities of the targeted system. One of the design decisions which is imporatant
|
|
|
+ Honeypots as stated above are active entities that capture attacks targeted at them. They must be designed carefully considering the services and vulnerabilities of the targeted system. One of the design decisions which is important //complete this part
|
|
|
|
|
|
+ \newpage
|
|
|
\section{Implementation}
|
|
|
|
|
|
\subsection{SCADA PLC Profiles}
|
|
|
|
|
|
-SCADA ICS devices can be classified into master and slave device types based on the interaction and functionality. The master system is responsible for controlling the slaves and send them appropriate commands for a task. These systems are usually control servers or host systems connected to PLCs or slaves, that receive critical information and updates from the sensors placed on devices and PLcs. The other most imporant systems are the automation PLCs. Slave devices interact with many other devices and collectively process information to perform a task assigned by the master. When a MODBUS master wants information from a device, it sends a message that contains the device address, the data it needs and the checksum for integrity. The network is typically like a hub structure. The data is broadcasted in the network and the device from which the information was requested only responds. The slave devices cannot initiate communication and only can respond to a request made from the master. MODBUS/TCP allows multiple masters to poll the same device in parallel. A unit can be either a master or a slave but not both.
|
|
|
+SCADA ICS devices can be classified into master and slave device types based on the interaction and functionality. The master system is responsible for controlling the slaves and send them appropriate commands for a task. These systems are usually control servers or host systems connected to PLCs or slaves, that receive critical information and updates from the sensors placed on devices and PLcs. The other most imporant systems are the automation PLCs. Slave devices interact with many other devices and collectively process information to perform a task assigned by the master. When a MODBUS master wants information from a device, it sends a message that contains the device address, the data it needs and the checksum for integrity. The network is typically like a hub structure. The data is broadcasted in the network and the device from which the information was requested only responds. The slave devices cannot initiate communication and only can respond to a request made from the master. MODBUS/TCP allows multiple masters to poll the same device in parallel. A unit can be either a master or a slave but not both.
|
|
|
|
|
|
|
|
|
\begin{figure}[ht]
|
|
|
@@ -331,33 +348,56 @@ SCADA ICS devices can be classified into master and slave device types based on
|
|
|
\caption[SCADA Architecture]{\label{f:SCADA Master and Slave}SCADA Master and Slave profile }
|
|
|
\end{figure}
|
|
|
|
|
|
-The above figure represents devices connected on the industrail LAN and the MODBUS master-slave communication. The master devices poll the slave devices and request information. The information is processed and sent back to the master. There is also possibility that a PLC acting as a master polls its data to the other devices like HMI and other PLC's in the network.
|
|
|
+The above figure represents devices connected on the industrial LAN and the MODBUS master-slave communication. The master devices poll the slave devices and request information. The information is processed and sent back to the master. There is also possibility that a PLC acting as a master polls its data to the other devices like HMI and other PLC's in the network.
|
|
|
|
|
|
|
|
|
In the past there have been attacks both internal and external on SCADA systems. Popular attacks using STUXNET, were carried out internally by deloying the malware on a host computer with the help of a USB drive. However, the malware made use of the vulnerabilities of the host system to replicate and spread through the network. Detecting such kind of attacks are very imporatant and cannot be ignored. These attacks are more dangerous than the external attacks as there are various mechanisms to detect attacks from external sites. Internal attacks have proved to be more catastrophic. We also concentrate on the slave profile. This is required as the slave devices today have Ethernet communication and can communicate with the Internet. Due to some network configuration loop holes, the device may be accessed due to the internet or the device itself may be configured to be accessed through the internet by the administrator. For example, the slave devices also run HTTP servers which can display the sensor information in the form of a webpage. This device may be configured to be accessed thorugh the internet to check and monitor the sensor readings from a external system. There is no doubt about the possibilities of attack of such systems from the internet. Thus we concentrate on simulating both the master profile, to check internal attacks and also slave profile to check external attacks.
|
|
|
|
|
|
|
|
|
-\subsubsection
|
|
|
+\subsubsection{Exploit Areas}
|
|
|
+
|
|
|
+We discussed the architecture, features and protocols facilitated by the Siemens SIMATIC S7 200 PLC and also security concerns of ICS SCADA systems. There were many exploit areas that were discovered. The PLC was subjected to various exploits and attacks. However, large scale attacks like STUXNET were successful because of vulnerabililtes that existed on the Host controllers as well, that is, Windows OS hosts. It made used of zero day exploits from both Windows OS and the Siemens PLCs. The attack was well designed and strategised considering vulnerabililtes on both systems. There are also small attacks like information leakage from an internet facing PLC, hosting a webserver. Over the years many vulnerabilities have been identified on the Siemens PLCs. It becomes a great challenge to make these systems secure. The PLCs have limited resources and thereby security measures like data encryption may prove expensive. Hence data encryption was avoided. This decision of ignoring secure features induced several exploits for the device.
|
|
|
+
|
|
|
+The Honeypot must be designed keeping all the discovered exploits inorder to be more effective in attracting the attackers. We consider both the external and internal attack approaches hereby devising strategies to capture both kind of attacks. Before we design our Honeypot, it is very important to understand the previous known attacks on PLCs, their impact and the vulnerabilities that caused those attacks.
|
|
|
+
|
|
|
+ \subsection{Design of HosTaGe ICS Honeypot}
|
|
|
+
|
|
|
+ The proposed design of HosTaGe ICS Honeypot simulates the services offered by the Siemens SIMATIC S7 200 PLC and also the master and slave profiles in a ICS SCADA environment. HosTaGe will also simulate the protocols supported by Siemens SIMATIC S7 200. The protocols include MODBUS TCP, TELNET, FTP, SNMP, S7Comm, SMTP.
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+ \subsection {Detecting Internal Attacks}
|
|
|
+
|
|
|
+ As discussed previously, ICS SCADA systems have master and slave profiles. Though the devices are subjected to attacks from external attacks, when made open to the internet, it is proved that major attacks in the past were triggered by systems in the internal network. Attacks from malware such as STUXNET spread from host systems in the same network. Attacks from internal systems have proved to be more effective and dangerous as they do not leave any fingerprints, also their signature cannot be identified by the anti-virus softwares and other protection tools. The STUXNET worm was reported to be injected through a USB flash drive. It made use of zero day vulnerabilities of the Windows operating system, the most popular one being how the Windows operating system handles the LNK files, which are used by the operating system to interpret devices capable of AUTORUN functionality, and to detect the software to run the file based on its format.
|
|
|
+
|
|
|
+An anatomy of similar kind of viruses and malware revealed that they made use of as many zero day vulnerabilities as possible to make the malware attack more effective and stealthy. Identifying such malware attacks through our Honeypot mechanism is a challenge, as it involves careful design and simulation of services involved in such attacks. To achieve this, the conditions under which such worms propagate and try to sneak into the network is studied. Analysis of the studies made by researchers (cite STUXNET: Dissecting a Cyberwarfare weapon) shows that the worm looks for (complete the rest by referring the paper)
|
|
|
+
|
|
|
+As discussed above STUXNET exploits the zero day vulnerabilities on a Windows host and is dormant without it. Hence it is required to simulate atleast one of the zero day vulnerabilites. The best suited amogst the five was the propagation through the network shared drive. This service could be simulated like on a WebDav server. We could then wait for the virus to propagate itself into this simulated location.
|
|
|
+
|
|
|
+ \subsubsection{Detecting malware}
|
|
|
+
|
|
|
+ \subsection{Detection of Multistage Attack Approach}
|
|
|
|
|
|
|
|
|
\subsection{Attacks Log}
|
|
|
|
|
|
|
|
|
-
|
|
|
+
|
|
|
|
|
|
|
|
|
\subsection{Challenges}
|
|
|
- \subsection{Detection of Multistage Attack Approach}
|
|
|
- \subsection{Detecting malware}
|
|
|
|
|
|
+
|
|
|
+\newpage
|
|
|
\section{Evaluation and Results}
|
|
|
\subsection{Attack Data analysis}
|
|
|
\subsection{Conpot and HosTaGe attack comparison}
|
|
|
- \subsection{Vulnerabilities of Siemens S7200}
|
|
|
+ \subsection{A Review Of Vulnerabilities of Siemens S7200}
|
|
|
\subsection{HosTaGe ICS - Performance Evaluation as an Android App}
|
|
|
\subsection{Observation and Analysis}
|
|
|
|
|
|
-
|
|
|
+\newpage
|
|
|
\section{conclusion and Future Work}
|
|
|
|
|
|
|
