hostage/thesis_report/Thesis_Report.tex

\documentclass[article,msc=informatik,type=msc,colorback,accentcolor=tud9c]{tudthesis}
\usepackage{ngerman}

\newcommand{\getmydate}{%
  \ifcase\month%
    \or Januar\or Februar\or M\"arz%
    \or April\or Mai\or Juni\or Juli%
    \or August\or September\or Oktober%
    \or November\or Dezember%
  \fi\ \number\year%
}

\begin{document}
  \thesistitle{A Mobile Honeypot for Industrial Control Systems }
    {}
  \author{Shreyas Srinivasa}
  \birthplace{Bangalore, India}
  \referee{Emmanouil Vasilomanolakis}{}
  \department{Fachbereich Informatik}
  \group{Telekooperation \\ Prof. Dr. Max M{\"u}hlh{\"a}user}
  \dateofexam
  \tuprints{12345}
  \makethesistitle
  


         
  
  \section{Introduction}
   Mobile devices today have better communication capabilities. They enable dynamic and faster communication. Users are able to access internet and web applications through their smart phones anywhere, anytime. Smarter applications offer better social interaction and online presence to the users. This creates an urge to stay connected and be online seamlessly to  be updated.Public infrastructures like airports, coffee shops, shopping malls  provide free access to their networks to its customers to facilitate their connectivity and of course, for some information exchange. With free access to networks, attackers are now concentrating on the possibility of exploiting users in the same network. Securing open networks is very challenging and complex. It is however possible to detect these attacks. A pro-active approach for detecting the attacks is a better approach. Prevention is better than cure, as said, is to better stay away from such environments than get exploited and realize at a later stage.
   
   Huge industries like nuclear power plants, water treatment and distribution plants, manufacturing plants have many complex critical machines and require constant monitoring. They rely on process automation on these machines and are dependent on sensors for making this automation possible. This sensor-to-machine-to-human communication and automation is achieved with the help of PLCs\cite{Webb:1998:PLC:551899} or Programmable Logic Controllers. This communication is usually not secure and is open to attacks. As this hardware has limited computing resources, encryption of data is an expensive option. There have been many attacks detected over the years on SCADA\footnote{http://www.schneider-electric.com/solutions/ww/en/med/20340568/application/pdf/1485se-whitepaper-letter-scadaoverview-v005.pdf} ICS, most notable being STUXNET\cite{Langner:2011:SDC:1990763.1990881}. Securing and detecting attacks in these networks is necessary as it is responsible for communication in critical machines. Failure of such machines could cause a devastation to the environment and human life because of the wide spread use of PLCs in infrastructures like airports, coffee shops and also in prisons. 
   
   
   There are two approaches for detection of attacks. One is by using a NIDS\cite{1377213} (Network Intrusion Detection System ) and the other is by using honeypot\cite{Provos:2004:VHF:1251375.1251376} . NIDS are installed on the server machines or hosts. The requests are scanned and analyzed for exploit-forged packets before they are sent to the server.  NIDS are suitable for systems with high resources. The honeypot approach, rather could be used where there are lesser resources. The idea behind honeypot, is to pose as vulnerable hosts connected to the network, which could be tempting for exploits, thereby trapping the attacker by collecting as much information possible to backtrack, or good enough to detect that the network is under attack. 
   
   \subsection{Motivation}
   
   The applicability of a honeypot in a mobile environment is prodigious, considering the public network infrastructure services offered. Network connectivity has become more of a necessity than a luxury, as technology is continuously evolving. Better services, data management and accessibility draw a lot of users having online space and in the need to stay connected. This need is rendered by some businesses and public infrastructure like airports, malls and cafeterias. With smart phones, people have the power to stay connected and do the majority of the tasks efficiently at their fingertips. Mobile devices today are considered personal devices because of the capability to store, share and process private data. This data is valuable and private to a user and has to be secured. Connecting to public networks can result in lot of vulnerabilities, as there is not always security considered in public networks. With the help of scripts crafted to exploit these vulnerabilities, an attacker can exploit users personal data.
   
   
   Attacks are not limited to the above protocols. Airports, malls, enterprise hotels and huge industries use PLCs\cite{Webb:1998:PLC:551899} (Programmable Logic Controllers) as for many applications such as conveyor belts, elevators, lighting control systems, fire and  safety detection systems in order to automate the tasks quickly without human intervention. PLCs can be programmed logically to specify the methods to be called, based on inputs provided by sensors.  SCADA (Supervisory Control and Data Acquisition) is a system operating with coded signals over the communication channels so as to provide control of remote equipment like PLCs. 
        
   A study made by DELL\cite{DELLSecurityPoster2015} showed that the attacks on Industrial components like PLCs doubled over the years, and even more dangerously, such incidents going unreported. The research found a 100 percent increase in attacks against industrial control systems like SCADA.
        
   Figure 1 gives an understanding of the Key SCADA Attack Methods. It shows that about half of the total attacks were based on improper assignment on bounds of a memory buffer, improper input invalidation, vulnerabilities in credentials management. These vulnerabilities pose as a huge threat to ICS. Figure 2 represents the number of attacks performed over the months. There is a steep increase in the number of attacks performed over the months, expressing the need to safeguard ICS systems and also detect these attacks.
        
        \begin{figure}[ht]
        \centering
        \includegraphics[scale=0.25]{scadamethods}
        \caption[SCADA Attack Types]{\label{f:SCADA Attack}SCADA attack methods\cite{DELLSecurityPoster2015}}
        \end{figure}
        
         
        \begin{figure}[ht]
           \centering
           \includegraphics[scale=0.35]{scadahits}
           \caption[SCADA Hits]{\label{f:SCADA Hits}SCADA hits on a monthly basis.\cite{DELLSecurityPoster2015}}
           \end{figure} 
           
   The majority of industrial systems today use SCADA for controlling and automating their processes.
   Securing these devices is as much important like any other hosts in the network because these devices are programmable and could affect the normal automatized working. STUXNET\cite{Langner:2011:SDC:1990763.1990881}, a computer worm discovered in 2010 was designed to attack industrial programmable logic controllers (PLCs). STUXNET reportedly compromised PLCs in power plant at Iran. The design and architecture of STUXNET is not domain-specific and it could be forged for exploiting modern SCADA and PLC systems.  
  
   \subsection{Contribution}
      
   This theses aims at identifying and detecting the SCADA attacks using a low interaction mobile honeypot platform using which a  industrial PLC will be designed and implemented. An analysis of the communication paradigm and the security loopholes in a SCADA ICS system is made, to simulate the services offered by the system.     
   The thesis also concentrates on contributing to many security related research questions of SCADA ICS systems like identifying the targets, analyzing the malware, assessing the consequences and defending ICS systems.
    
   
   \subsection{Outline}
      
   This thesis topic also aims at adding more capabilities to detect attacks through different malware, mainly focussing on simulating industrial level SCADA PLC to determine malware attacks on them. The rest of the expose is structured as follows. Section 2 will specify the requirements to develop the protocol emulation for mobile honeypot. In Section 3, related work in the area of mobile honeypot and SCADA honeypot are discussed. Section 4 describes a proposed system for a mobile honeypot for ICS systems and Section 5 concludes with a time plan for the thesis. 
     
       
   \section{Background - ICS SCADA and Mobile Honeypots}
    
   ICS (Industrial Control Systems) form a dominant portion in present day industries. Strange, yet astonishing, the fact that ICS is also a part of everyday life is also true. ICS components include actuators, sensors, networking devices, controlling systems and PLC's . The sensors form a major part of ICS as they provide continuous feed of critical information which is used to automate and control other systems. The other important component is the PLC. This interface allows a programmer to implement a logic to automate the systems based on the data received from sensors. There are a few different kinds of ICS. One of the major types is SCADA (Supervisory control and data aquisition) which is deployed on geographically widespread and controlled using a central location. Examples to this type include nuclear power plants, water distribution , power distribution where there is a need constant monitoring and critical automation. SCADA systems are mainly deployed where is a need for alarm systems. The other kind of ICS system is the Distributed Control Systems (DCS). On the contrary these systems are not centralized, but distributed across a network. We shall focus more on SCADA ICS systems are they are being deployed in major infrastructures today.
    
   Infrastructures discussed above have a lot of components and devices which need constant communication between them. 
    
     
  \subsection{Honeypots}
  
  There has been extensive research going on in the field of honeypots. This section describes related works on honeypots. 
  
  Early research on mobile honeypots focused only on  Bluetooth communications[5,17]. The continuous advances in the field of smartphone technology has enabled better opportunities towards honeypot research on smart phones. 
  There has been existing work that focused on detection of mobile specific malware. The first to discuss the idea of a honeypot for smartphones were Mulliner et al., by providing the initial ideas, challenges and an architecture for their proposed system\cite{mulliner2011poster}. Nomadic Honeypots\cite{Liebergeld_nomadichoneypots:} concentrates on mobile specific malware and also trades off with a lot of personal information.
  
  Trend Micro a global security software company conducted an experiment\footnote{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf} to detect attacks on SCADA by setting up 12 honeypots in 8 countries. The honeypots camouflaged a municipal water control system based on SCADA that was connected to the internet. Attacks were basically focussed on meddling with the pump system.  The objective of this experiment is to assess who/what is attacking Internet-facing ICS/SCADA(Industrial Control Systems) devices and why. In addition, the research set out to identify if the attacks performed on these systems were targeted, by whom, and for what purpose.
         
  The honeypot architecture design used a combination of high-interaction and pure-production honeypots. A total of three honeypots were created to ensure as much of the target surface as possible. All three honeypots were Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the United States. 
         
   \subsection{SCADA ICS}

SCADA is an industrial automation control system at the core of many indutries today including Energy, Oil and Gas, power, Water and Recycling , Manufacturing and many more. They are used by both private sector industries and the public sector service providers. It provides the benefit of simple configuration and usability. 

The basic architecture of SCADA involves communication of information from sensors or manual inputs to PLCs or RTUs. These PLCs process the information as per the logic deployed in them and then forward this information to workstations/servers running SCADA applications. SCADA systems usually involve the following componenets:

RTU(Remote Terminal Units):These units connect to sensors in the process and convert sensor signals to digital data. They have telemetry hardware capable of sending digital data to the supervisory system, as well as receiving digital commands from the supervisory system. RTUs often have embedded control capabilities in order to accomplish boolean logic operations.

Programmable logic controller (PLCs): These devices connect to sensors in the process and convert sensor signals to digital data. PLCs have more sophisticated embedded control capabilities than RTUs. PLCs do not have telemetry hardware, although this functionality is typically installed alongside them. PLCs are sometimes used in place of RTUs as field devices because they are more economical, versatile, flexible, and configurable.

Telemetry system: It is typically used to connect PLCs and RTUs with control centers, data warehouses, and the enterprise. Examples of wired telemetry media used in SCADA systems include leased telephone lines and WAN circuits. Examples of wireless telemetry media used in SCADA systems include satellite (VSAT), licensed and unlicensed radio, cellular and microwave.

Data and Control Server: A data acquisition server is a software service which uses industrial protocols to connect software services, via telemetry, with field devices such as RTUs and PLCs. It allows clients to access data from these field devices using standard protocols.

Human–Machine Interface or HMI: It is the apparatus or device which presents processed data to a human operator, and through this, the human operator monitors and interacts with the process. The HMI is a client that requests data from a data acquisition server.

Historian software:  A software service which accumulates time-stamped data, boolean events, and boolean alarms in a database which can be queried or used to populate graphic trends in the HMI. The historian is a client that requests data from a data acquisition server.


SCADA applications help in monitoring, analysing the data  to help the device controllers and operators work efficiently. Modern SCADA systems allow real time data from the plants to be accessed from anywhere in the world. This also means that it provides attackers an opportunity to exploit this data and availability. Exploiting SCADA systems can cause catastrophic as it may result in huge damage to the environment and people in the plant. We try to identify the attacks and exploits that could be made and detect them using a mobile honeypot.


   
   \subsection{MODBUS}

MODBUS is a serial communications protocol published by Modicon for using in its PLCs. It is now a standard that connects industrial devices together. The basic configuration involves connecting a SCADA supervisory control system to a PLC or RTU. Many of the data types are named from its use in driving relays: a single-bit physical output is called a coil, and a single-bit physical input is called a discrete input or a contact. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.





   
   \subsection{Mobile Honeypots}
       
   \section{Related Work} 
       
   \subsection{SCADA Honeynet and Conpot} 
   
   SCADA Honeynet Project\cite{5198796} is a project aimed at building honeypots for industrial networks. The industrial hardware include PLCs which also form the backbone of their automation systems.SCADA Honeynet was designed to simulate the PLCs and detect attacks performed on them.The short-term goal of the project was to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures.
   
   
   Conpot\footnote{http://conpot.org/} is a low interactive server side ICS honeypot designed to be easy to deploy, modify and extend. It provides a range of common industrial control protocols capable of emulating complex infrastructures to convince an adversary that he just found a huge industrial complex.To improve the deceptive capabilities it also provides the possibility to server a custom human machine interface to increase the honeypots attack surface. The default configuration of Conpot simulates a basic Siemens SIMATIC S7-200 PLC with an input/output module.
     
     
   \subsection{HosTaGe}       
      
   HosTaGe\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a mobile honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified. 
       
             
       
  \section{Proposed System}
  
  In this work, a low interaction mobile honeypot mechanism to simulate industrial PLC will be designed and implemented. The design also aims at detecting attacks and making inferences about the attackers and attacks. The final version will be integrated to the HosTaGe app along with the other advanced mechanisms that HosTaGe already provides to its users.  
  As the proposed system deals with implementing a low interaction honeypot, the challenge involves implementing only the essential components or services, that satisfy the discovery and vulnerability to attack them, for example, the network stack. Along with basic attack detection, the system must also have a short response time, robust design to withstand the attacks and also maintain a log of the exploit for further analysis and backtracking. An attempt will be made to detect attacks forged with popular identified worms like STUXNET. The conclusions on the attacks made will be pushed on to a central repository where the details of the attack are made public for users worldwide. The overlay of the proposed system, mechanisms and the evaluation are followed below. 
       
    
  \section{System Design}
  
  HosTaGe has implemented mechanisms to emulate different kind of hosts like a windows host, linux host, webserver, FTP server, SSH server and more. The simulation of industrial level SCADA based PLC will be added to the the existing list of simulated hosts and services. To simulate PLCs it is important to understand their communication and control infrastructure. PLCs have network interfaces that support Ethernet, TCP/IP, MODBUS\cite{4627171}, DeviceNet\cite{898793}, ControlNet\cite{898793}, Foundation Fieldbus\cite{1435740}. The manufacturers have their own in built shells to support FTP commands.  The Ethernet communication module of the PLC typically runs an embedded operating system that includes standard network protocol as well as implementations of industrial network protocols such as Modbus/TCP or EtherNet/IP.  Telnet and FTP servers are common and have identifying information which can be used to determine the vendor and version of software. The network components that need to be simulated in  a PLC are the TCP/IP stack, Modbus/TCP server, FTP server, Telnetd server and a HTTP web server which provides an interface to manage the functioning and control of PLC.
       
  The discovery and identification of the PLC in the network can be through a network nmap scan that reveals information about the host name, ports 21, 80 and 502(Modbus) open. 
        
  The main objective is to detect attacks made using the Modbus port. A logging mechanism logs the information about the attacker in pursuit.  
       
       
      \subsection{Architecture of Siemens SIMATIC s7 200}

The Siemens S7 200 is a micro-programmable logic controller which can control a wide variety of devices to support various automation needs. The S7-200 monitors, inputs and changes outputs as controlled by the user program, which can include Boolean logic, counting, timing, complex math operations, and communications with other intelligent devices. It can control and communicate with devices like automatic pressure controllers, centrifuge pumps, water cooling systems. The STEP 7--Micro/WIN programming package provides a user-friendly environment to develop, edit, and monitor the logic needed to control the application that monitor devices. The Siemens Simatic S7 PLC's use PROFINET which is based on Ethernet for communication. There are over 3 million PROFINET devices deployed worldwide. 
      
      \subsection{Understanding MODBUS}


      
      \subsection{Vulnerability Analysis of SIMATIC s7 200}
      
      \section{Implementation}
      
      \section{Results and Evaluation}
 

	
            
      \bibliographystyle{plain}
      
      
      \bibliography{bibfile}
      
      
\end{document}