attacker aproach for attacking ics

Attacker approach for Attacker approach for

attackingattackingattackingattacking

Industrial Control SystemsIndustrial Control Systems

ICS from an attacker viewICS from an attacker view

• Highly attractable – Large scale damage, Effects daily life

• Systems are based on old technology – Information security is not

built-in, Security elements are not system specific

© 2008 PRE-VISION DATA SECURITY LTD. All rights reserved

built-in, Security elements are not system specific

• System infrastructure is complex and includes proprietary

protocols

• ICS serve dynamic process and need frequent adjustments and

maintenance

Attack type CategorizationAttack type Categorization

•• By Intention By Intention


•• By ScenarioBy Scenario

•• By System level being effectedBy System level being effected

IntentionIntention

Unintentional Unintentional -- worms, viruses , control system failures

or consequences caused by internal


Intentional Intentional -- Deliberate/ planned attack

or consequences caused by internal

personnel or faulty mechanisms

Characteristics of an intentional targeted attackCharacteristics of an intentional targeted attack

• Requires detailed knowledge of the system and

supporting infrastructure


supporting infrastructure

• Directed to specific system elements and for a specific

outcome

• Almost always requires the help of an insider

• Code Will posses some control capabilities

Basic attack ScenarioBasic attack Scenario

• Center to Field

• Field to Center


• Field to Center

• Center to center

• Field to Field

System level being effectedSystem level being effected

• Global communication path

• HMI servers/stations


• Connection to filed elements

• HMI servers/stations

• PLC Memory/PLC logic

• PLC protocols

• IED elements signals

MotivationMotivation

• Terror


• Terror

• Getting an advantage in war situation

• Industrial espionage

Desired OutcomeDesired Outcome

• Alter

• Disrupt


• Deceive

• Degrade

• Destroy

• POC – Stage in attack tool dev.

• Building foundation for later use

Time lineTime line

• Immediate effect

• Short term effect


• Long term effect

• Creating and maintaining attack base

ControlControl

• Uncontrolled

• Unidirectional


• Bi directional

MeansMeans

• DOS – Applications, control elements Network elements, Servers


• Physical damage

• Damage to DATA and/or Information

• Building Foundation for later use

Scale of effectScale of effect

• Localized


• Localized

• Wide spread

• Cross infrastructures

Choosing targetsChoosing targets

HMI servers

Control centerControl center

Field ElementsField Elements


GWs, FEPs, MTUs

Data Base/ Historian

Controller (logic/OS/Memory)

Protocols

Network and communication elementsNetwork and communication elements

Field ElementsField Elements

• IEDs

• Field controllers

• FIU

Choosing Access pathChoosing Access path

Direct – Using local access to system elements (including use of

carriers)


carriers)

Indirect – Remote access Using network ,communication lines

Combined – local and remote access

scalescale

OutcomeOutcome

MeansMeans• Alter

• Disrupt

• Deceive

• Degrade

• Destroy • Localized

• DOS

• Damage to

Flow ChartFlow Chart

TargetsTargets


Time lineTime line

Control typeControl type

Access pathAccess path

• Destroy

• POC

• Building

Foundation

for later use

• Localized

• wide spread

• Cross –

infrastructures

• Damage to

DATA and

Information

• Physical

damage

• Immediate

• Short term

• Long term

• Uncontrolled

• Unidirectional

• Bi directional • Direct Local

• Indirect -

Remote

• Combined

TargetsTargets

• Control center

• Network and

communication

• Controller

• Field elements

scalescale

OutcomeOutcome

• Alter

• Disrupt

• Deceive

• Degrade

• Destroy • Localized

• DOS

• Damage to

Flow ChartFlow Chart

TargetsTargets

MeansMeans


Time lineTime line

Control typeControl type

Access pathAccess path

• Destroy

• POC

• Building

Foundation

for later use

• Localized

• wide spread

• Cross –

infrastructures

• Damage to

DATA and

Information

• Physical

damage

• Immediate

• Short term

• Long term

• Uncontrolled

• Unidirectional

• Bi directional • Direct Local

• Indirect -

Remote

• Combined

TargetsTargets

• Control center

• Network and

communication

• Controller

• Field elements

• Software architecture

– Two tier architecture - HMI and communication server are

installed on the same machine

Topology based scenariosTopology based scenarios

installed on the same machine

– Three tier architecture- HMI clients, HMI server and or

communication server are installed on different machines


Basic ICS architecture


• Network architecture

– SCADA topology – PLC are installed across distributed,

Topology based attack scenarioTopology based attack scenario

– SCADA topology – PLC are installed across distributed,

large scale, wide area network, where the PLC might

operate using local logic commands.

– DCS , PLC and industrial control elements are installed on a

local area network , where most logic is installed on the

DCS software and not on the PLC.


Attack vectorsAttack vectors

• Protocols based attacks

• PLC logic based attacks • PLC logic based attacks

• SCADA/DCS software based attacks


Protocols +PLC Protocols +PLC

Two tier based attacks Two tier based attacks


Software + PLC Software + PLC

Two tier based attacks Two tier based attacks


Network two tier based attacks Network two tier based attacks


Combined three tier based attacks Combined three tier based attacks


Attack considerations Attack considerations

• Physical, logical or both

• SCADA ,DCS or mix

• Two tier or three tier

• method -Protocol or software

• Main targets

– HMI

– I/O server

– PLC


Attack scenarios Attack scenarios

• Physical interrupt

• DCS

• Two tier

• Engineering workstation

• PLC logic change


Attack Attack sequence sequence

• DCS software - technician laptop

• Protocol based attack

• Installed on the DCS control room main switch

• Step one : Proxy ARP manipulation - directing all

traffic from the HMI, engineering workstation to the

attacker laptop

• Attacker laptop will be used to intercept the

“command and utility” password



• With the utility and command password, the

attacker will gain access to the PLC main

management interface

• Current logic is downloaded

• New logic is uploaded

• The virtual PLC software on the laptop, imitates the

old logic operation transmitting the old Tag’s data to

the operators (Business as usual from operator’s

view)



• New PLC logic architecture

– Long term effect

– Low signature – Low signature

• Logic operation

• Steam turbine Vibration parameters modification

• When turbine start to vibrate out of the normal rate The

PLC shall transmit normal operation readings (This can go

on for years)


attacker aproach for attacking ics

Technology

flow chartflow

time linetime

vision data

control typecontrol

access pathaccess

tier based

scada topology

long term