|
|
@@ -77,24 +77,13 @@
|
|
|
ICS (Industrial Control Systems) form a dominant portion in present day industries. Strange, yet astonishing, the fact that ICS is also a part of everyday life is also true. ICS components include actuators, sensors, networking devices, controlling systems and PLC's . The sensors form a major part of ICS as they provide continuous feed of critical information which is used to automate and control other systems. The other important component is the PLC. This interface allows a programmer to implement a logic to automate the systems based on the data received from sensors. There are a few different kinds of ICS. One of the major types is SCADA (Supervisory control and data aquisition) which is deployed on geographically widespread and controlled using a central location. Examples to this type include nuclear power plants, water distribution , power distribution where there is a need constant monitoring and critical automation. SCADA systems are mainly deployed where is a need for alarm systems. The other kind of ICS system is the Distributed Control Systems (DCS). On the contrary these systems are not centralized, but distributed across a network. We shall focus more on SCADA ICS systems are they are being deployed in major infrastructures today.
|
|
|
|
|
|
Infrastructures discussed above have a lot of components and devices which need constant communication between them.
|
|
|
-
|
|
|
-
|
|
|
- \subsection{Honeypots}
|
|
|
-
|
|
|
- There has been extensive research going on in the field of honeypots. This section describes related works on honeypots.
|
|
|
-
|
|
|
- Early research on mobile honeypots focused only on Bluetooth communications[5,17]. The continuous advances in the field of smartphone technology has enabled better opportunities towards honeypot research on smart phones.
|
|
|
- There has been existing work that focused on detection of mobile specific malware. The first to discuss the idea of a honeypot for smartphones were Mulliner et al., by providing the initial ideas, challenges and an architecture for their proposed system\cite{mulliner2011poster}. Nomadic Honeypots\cite{Liebergeld_nomadichoneypots:} concentrates on mobile specific malware and also trades off with a lot of personal information.
|
|
|
-
|
|
|
- Trend Micro a global security software company conducted an experiment\footnote{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf} to detect attacks on SCADA by setting up 12 honeypots in 8 countries. The honeypots camouflaged a municipal water control system based on SCADA that was connected to the internet. Attacks were basically focussed on meddling with the pump system. The objective of this experiment is to assess who/what is attacking Internet-facing ICS/SCADA(Industrial Control Systems) devices and why. In addition, the research set out to identify if the attacks performed on these systems were targeted, by whom, and for what purpose.
|
|
|
-
|
|
|
- The honeypot architecture design used a combination of high-interaction and pure-production honeypots. A total of three honeypots were created to ensure as much of the target surface as possible. All three honeypots were Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the United States.
|
|
|
-
|
|
|
- \subsection{SCADA ICS}
|
|
|
+
|
|
|
+
|
|
|
+\subsection{SCADA ICS}
|
|
|
|
|
|
SCADA is an industrial automation control system at the core of many indutries today including Energy, Oil and Gas, power, Water and Recycling , Manufacturing and many more. They are used by both private sector industries and the public sector service providers. It provides the benefit of simple configuration and usability.
|
|
|
|
|
|
-The basic architecture of SCADA involves communication of information from sensors or manual inputs to PLCs or RTUs. These PLCs process the information as per the logic deployed in them and then forward this information to workstations/servers running SCADA applications. SCADA systems usually involve the following componenets:
|
|
|
+The basic architecture of SCADA involves communication of information from sensors or manual inputs to PLCs or RTUs. These PLCs process the information as per the logic deployed in them and then forward this information to workstations/servers running SCADA applications. SCADA systems involve control components and network components. The following is a list of control components in SCADA:
|
|
|
|
|
|
RTU(Remote Terminal Units):These units connect to sensors in the process and convert sensor signals to digital data. They have telemetry hardware capable of sending digital data to the supervisory system, as well as receiving digital commands from the supervisory system. RTUs often have embedded control capabilities in order to accomplish boolean logic operations.
|
|
|
|
|
|
@@ -108,36 +97,111 @@ Human–Machine Interface or HMI: It is the apparatus or device which presents p
|
|
|
|
|
|
Historian software: A software service which accumulates time-stamped data, boolean events, and boolean alarms in a database which can be queried or used to populate graphic trends in the HMI. The historian is a client that requests data from a data acquisition server.
|
|
|
|
|
|
+Different network characteristics exist for every layer within the control systems. The network topologies vary by vendors or manufacturers and also on different implementations. Modern day SCADA systems are open to Internet communication and enterprise integration can be achieved. The control networks work in hand with the corporate enterprise networks to better manage and control the systems from outside networks. The following are the major network components of an ICS network:
|
|
|
+
|
|
|
+Fieldbus Network: The fieldbus network links sensors and other devices to a PLC or other controller. Use of fieldbus technologies eliminates the need for point-to-point wiring between the controller and each device. The devices communicate with the fieldbus controller using a variety of protocols. The messages sent between the sensors and the controller uniquely identify each of the sensors.
|
|
|
+
|
|
|
+Control Network: The control network connects the supervisory control level to lower-level control modules.
|
|
|
+
|
|
|
+Communications Routers: A router is a communications device that transfers messages between two networks. Common uses for routers include
|
|
|
+connecting a LAN to a WAN, and connecting MTUs and RTUs to a long-distance network medium for SCADA communication.
|
|
|
+
|
|
|
|
|
|
SCADA applications help in monitoring, analysing the data to help the device controllers and operators work efficiently. Modern SCADA systems allow real time data from the plants to be accessed from anywhere in the world. This also means that it provides attackers an opportunity to exploit this data and availability. Exploiting SCADA systems can cause catastrophic as it may result in huge damage to the environment and people in the plant. We try to identify the attacks and exploits that could be made and detect them using a mobile honeypot.
|
|
|
|
|
|
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+ \subsection{Security Concerns of SCADA ICS}
|
|
|
+
|
|
|
+ ICS SCADA systems are highly distributed. They are used to control and manage geographically dispersed plants, often scattered over thousands of kilometers. In these areas centralized data acquisition and control are critical to system operation. They are applicable in distribution systems such as water distribution and wastewater collection systems, oil and natural gas pipelines and electrical power grids.on
|
|
|
+systems. A SCADA control center provides centralized monitoring and control for field sites over long-distance communications networks, including monitoring alarms and processing status data. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as field devices. Field devices
|
|
|
+control local operations such as opening and closing valves and breakers, collecting data from sensor systems, and monitoring the local environment for alarm conditions.
|
|
|
+
|
|
|
+As the control center is responsible for managing and controlling the devices at the field site, there is a need to have a critical communication network between them. This is usually established through the MODBUS TCP/IP over the Ethernet. It is usually advised to place the SCADA devices on a network that is not physically connected to any other networks (cite http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf).
|
|
|
+
|
|
|
+
|
|
|
+ \subsection{Honeypots}
|
|
|
+
|
|
|
+
|
|
|
+ A Honeypot is a decoy server or a system in a network which is closely monitored for adversaries. They are mostly deployed inside firewalls, but they could be deployed in any part of the network. It is designed to be a system with vulnerabilities and services that are offered by a real target system. Any attempt to connect to these systems could be considered as an attack. All the activities are logged and further traced. The general idea is that once an adversaryu detects a vulnerable system and tries to attack it, he would come back with more sophisticated attacks. The initial part of discovery and knowing the general services and loopholes is called system social engineering.
|
|
|
+Honeypots provide are active monitoring components that wait for attacks and respond to the attacks by luring the attacker to pursue more.
|
|
|
+
|
|
|
+There are certain main functionalities that the Honeypots must possess in order to perform their main functionality.
|
|
|
+
|
|
|
+1. Honeypots must simulate the system that they are intend to focus on. This gives the attacker a feeling of approaching a real system. The honeypot may simulate the complete functionality of the system orr just the services offered by the system.
|
|
|
+
|
|
|
+2. A proper response mechanism which keeps the attacker engaged to the honeypot. This makes better logging of the attack and also provides more data to analyze the attacks.
|
|
|
+
|
|
|
+3.
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+ It mainly has three perspectives. Firstly, an attacker perspective, by posing as a vulnerable system; second an administrator who can log identify and log the attacks made by the attacker and third, being able to present and analyse the attacks logged by the administrator.
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+ //Explain about Honeypots
|
|
|
+
|
|
|
+
|
|
|
+ There has been extensive research going on in the field of honeypots. This section describes related works on honeypots.
|
|
|
+
|
|
|
+ Early research on mobile honeypots focused only on Bluetooth communications[5,17]. The continuous advances in the field of smartphone technology has enabled better opportunities towards honeypot research on smart phones.
|
|
|
+ There has been existing work that focused on detection of mobile specific malware. The first to discuss the idea of a honeypot for smartphones were Mulliner et al., by providing the initial ideas, challenges and an architecture for their proposed system\cite{mulliner2011poster}. Nomadic Honeypots\cite{Liebergeld_nomadichoneypots:} concentrates on mobile specific malware and also trades off with a lot of personal information.
|
|
|
+
|
|
|
+//make sub subsection types of honeypots
|
|
|
+//make sub subsection Honeynets
|
|
|
+//make sub subsection Mobile Honeypots
|
|
|
+ //List ablout HosTaGe and other related work on mobile Honeypots
|
|
|
+
|
|
|
+ HosTaGe\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a mobile honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified.
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+ \subsection{SCADA Honeypots}
|
|
|
+ Trend Micro a global security software company conducted an experiment\footnote{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf} to detect attacks on SCADA by setting up 12 honeypots in 8 countries. The honeypots camouflaged a municipal water control system based on SCADA that was connected to the internet. Attacks were basically focussed on meddling with the pump system. The objective of this experiment is to assess who/what is attacking Internet-facing ICS/SCADA(Industrial Control Systems) devices and why. In addition, the research set out to identify if the attacks performed on these systems were targeted, by whom, and for what purpose.
|
|
|
+
|
|
|
+ The honeypot architecture design used a combination of high-interaction and pure-production honeypots. A total of three honeypots were created to ensure as much of the target surface as possible. All three honeypots were Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the United States.
|
|
|
+
|
|
|
+
|
|
|
+//make sub subsection PLC Honeynet
|
|
|
+//make sub subsection Digital Bond
|
|
|
+//make sub subsection SCADA Honeynet
|
|
|
+SCADA Honeynet Project\cite{5198796} is a project aimed at building honeypots for industrial networks. The industrial hardware include PLCs which also form the backbone of their automation systems.SCADA Honeynet was designed to simulate the PLCs and detect attacks performed on them.The short-term goal of the project was to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures.
|
|
|
+
|
|
|
+//make sub subsection Conpot
|
|
|
+Conpot\footnote{http://conpot.org/} is a low interactive server side ICS honeypot designed to be easy to deploy, modify and extend. It provides a range of common industrial control protocols capable of emulating complex infrastructures to convince an adversary that he just found a huge industrial complex.To improve the deceptive capabilities it also provides the possibility to server a custom human machine interface to increase the honeypots attack surface. The default configuration of Conpot simulates a basic Siemens SIMATIC S7-200 PLC with an input/output module.
|
|
|
+
|
|
|
+
|
|
|
|
|
|
\subsection{MODBUS}
|
|
|
|
|
|
-MODBUS is a serial communications protocol published by Modicon for using in its PLCs. It is now a standard that connects industrial devices together. The basic configuration involves connecting a SCADA supervisory control system to a PLC or RTU. Many of the data types are named from its use in driving relays: a single-bit physical output is called a coil, and a single-bit physical input is called a discrete input or a contact. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.
|
|
|
+MODBUS denoted IETF RFC 2026 is a serial communications protocol published by Modicon for using in its PLCs. It is now a standard that connects industrial devices together. The basic configuration involves connecting a SCADA supervisory control system to a PLC or RTU. Many of the data types are named from its use in driving relays: a single-bit physical output is called a coil, and a single-bit physical input is called a discrete input or a contact. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.
|
|
|
+MODBUS TCP/IP specification was introduced to MODBUS to integrate corporate intranet with PLC systems. This made the network better manageable, scalable and also cost-effective.MODBUS TCP/IP offers many advantages:
|
|
|
|
|
|
+Simplicity: The TCP is wrapped with MODBUS instruction set. The setup involves simple driver initialization at end devices to communicate. Low development cost, hardware and compatibility with many OS makes it simple.
|
|
|
|
|
|
+Standard Ethernet: Ethernet ingrates easily into simple chipsets and boards. The cost of implementing Ethernet to MODBUS is low and also provides ample resources as there are many developers are working on optimizing the technology. Ethernet port 502 is used by the MODBUS TCP/IP protocol.
|
|
|
|
|
|
+Open: The MODBUS protocol has been open source since 2004 and a dedicated organization working towards develpoment,optimization and maintenance.
|
|
|
+
|
|
|
+Compatibility: MODBUS provides interoperability among various vendors and also compatibilty with devices of other manufactureres.
|
|
|
+
|
|
|
+
|
|
|
+MODBUS TCP/IP is an Internet protocol. This makes the devices open to the Internet. This was a particular feature thhat was incorporated to facilitate better control and making device maintenance through remote systems over the internet. MODBUS is also industrial networks protocol and the industries are geographically separated. MODBUS TCP/IP helps in better management of distributed industrial systems throughout the world.
|
|
|
|
|
|
|
|
|
-
|
|
|
- \subsection{Mobile Honeypots}
|
|
|
-
|
|
|
- \section{Related Work}
|
|
|
|
|
|
- \subsection{SCADA Honeynet and Conpot}
|
|
|
|
|
|
- SCADA Honeynet Project\cite{5198796} is a project aimed at building honeypots for industrial networks. The industrial hardware include PLCs which also form the backbone of their automation systems.SCADA Honeynet was designed to simulate the PLCs and detect attacks performed on them.The short-term goal of the project was to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures.
|
|
|
-
|
|
|
-
|
|
|
- Conpot\footnote{http://conpot.org/} is a low interactive server side ICS honeypot designed to be easy to deploy, modify and extend. It provides a range of common industrial control protocols capable of emulating complex infrastructures to convince an adversary that he just found a huge industrial complex.To improve the deceptive capabilities it also provides the possibility to server a custom human machine interface to increase the honeypots attack surface. The default configuration of Conpot simulates a basic Siemens SIMATIC S7-200 PLC with an input/output module.
|
|
|
|
|
|
|
|
|
- \subsection{HosTaGe}
|
|
|
-
|
|
|
- HosTaGe\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a mobile honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified.
|
|
|
-
|
|
|
+
|
|
|
|
|
|
|
|
|
\section{Proposed System}
|
|
|
@@ -159,19 +223,35 @@ MODBUS is a serial communications protocol published by Modicon for using in its
|
|
|
|
|
|
The Siemens S7 200 is a micro-programmable logic controller which can control a wide variety of devices to support various automation needs. The S7-200 monitors, inputs and changes outputs as controlled by the user program, which can include Boolean logic, counting, timing, complex math operations, and communications with other intelligent devices. It can control and communicate with devices like automatic pressure controllers, centrifuge pumps, water cooling systems. The STEP 7--Micro/WIN programming package provides a user-friendly environment to develop, edit, and monitor the logic needed to control the application that monitor devices. The Siemens Simatic S7 PLC's use PROFINET which is based on Ethernet for communication. There are over 3 million PROFINET devices deployed worldwide.
|
|
|
|
|
|
- \subsection{Understanding MODBUS}
|
|
|
+ \subsection{Protocols}
|
|
|
+
|
|
|
+ \subsection{Design of HosTaGe ICS Honeypot}
|
|
|
+
|
|
|
+ \subsection{Perspective}
|
|
|
+ Make points of Adversary Perspective and Administrator Perspective
|
|
|
|
|
|
+ \section{Implementation}
|
|
|
|
|
|
-
|
|
|
- \subsection{Vulnerability Analysis of SIMATIC s7 200}
|
|
|
-
|
|
|
- \section{Implementation}
|
|
|
-
|
|
|
- \section{Results and Evaluation}
|
|
|
+ \subsection{SCADA PLC Profiles}
|
|
|
+ \subsection{Protocol Implementation}
|
|
|
+ \subsection{Vulnerabilities}
|
|
|
+ \subsection{Attacks Log}
|
|
|
+ \subsection{Challenges}
|
|
|
+ \subsection{Detection of Multistage Attack approach}
|
|
|
+ \subsection{Detecting malware}
|
|
|
+
|
|
|
+ \section{Evaluation and Results}
|
|
|
+ \subsection{Attack Data analysis}
|
|
|
+ \subsection{Conpot and HosTaGe attack comparison}
|
|
|
+ \subsection{Vulnerabilities of Siemens S7200}
|
|
|
+ \subsection{HosTaGe Performance Evaluation}
|
|
|
+ \subsection{Observation and Analysis}
|
|
|
+
|
|
|
+
|
|
|
+ \section{conclusion and Future Work}
|
|
|
|
|
|
|
|
|
-
|
|
|
-
|
|
|
+
|
|
|
\bibliographystyle{plain}
|
|
|
|
|
|
|
