Abstract
Modern industrial facilities consist of controllers, actuators and sensors that are connected via traditional IT equipment. The ongoing integration of these systems into the communication network yields to new threats and attack possibilities. In industrial networks, often distinct communication protocols like Profinet IO (PNIO) are used. These protocols are often not supported by typical network security tools. In this work, we present two attack techniques that allow to take over the control of a PNIO device, enabling an attacker to replay previously recorded traffic. We model attack detection rules and propose an intrusion detection system (IDS) for industrial networks which is capable of detecting those replay attacks by correlating alerts from traditional IT IDS with specific PNIO alarms. As an additional effort, we introduce defense in depth mechanisms in order to prevent those attacks from taking effect in the physical world. Thereafter, we evaluate our IDS in a physical demonstrator and compare it with another IDS dedicated to securing PNIO networks. In a conceptual design, we show how network segmentation with flow control allows for preventing some, but not all of the attacks.
Similar content being viewed by others
Notes
This means that such a PNIO network should ideally be operated in a completely separated environment without any link to the outside.
For obvious reasons, attacks causing irreversible damages and possibly injuring people are not allowed to be performed in our laboratory.
PNIO supports up to 5 ms cycle time (1 ms in the isochronous real-time class).
In tests, we discovered answer times less than 1 ms.
In order to eliminate false positives, we expect the operator receiving alerts from the IDS will be aware of any maintenance work.
caused by the “best effort” delivery approach in networking devices
References
Åkerberg, J., Björkman, M.: Exploring network security in profisafe. In: International Conference on Computer Safety, Reliability, and Security, pp. 67–80. Springer (2009)
Åkerberg, J., Björkman, M.: Exploring security in profinet io. In: Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference, COMPSAC ’09, vol. 01, pp. 406–412. IEEE Computer Society, Washington, DC (2009). https://doi.org/10.1109/COMPSAC.2009.61
Åkerberg, J., Björkman, M.: Introducing security modules in profinet io. In: 2009 IEEE Conference on Emerging Technologies & Factory Automation, pp. 1–8. IEEE (2009)
Bass, T., Robichaux, R.: Defense-in-depth revisited: qualitative risk analysis methodology for complex network-centric operations. In: 2001 MILCOM Proceedings Communications for Network-Centric Operations: Creating the Information Force (Cat. No. 01CH37277), vol. 1, pp. 64–70 (2001). https://doi.org/10.1109/MILCOM.2001.985765
Baud, M., Felser, M.: Profinet io-device emulator based on the man-in-the-middle attack. In: 2006 IEEE Conference on Emerging Technologies and Factory Automation, pp. 437–440 (2006). https://doi.org/10.1109/ETFA.2006.355228
Biondi, P.: Scapy documentation. http://www.secdev.org/projects/scapy/doc/ (2010). Accessed 08 Dec 2016
BSI: Opc ua security analysis (2016)
Claise, B.: Specification of the IP flow information export (IPFIX) protocol for the exchange of IP traffic flow information. RFC 5101 (2015). https://doi.org/10.17487/rfc5101. https://rfc-editor.org/rfc/rfc5101.txt
Ferrari, P., Flammini, A., Vitturi, S.: Performance analysis of profinet networks. Comput. Stand. Interfaces 28(4), 369–385 (2006)
Fullmer, M., Romig, S.: The osu flowtools package and cisco netflow logs. In: Proceedings of the 2000 USENIX LISA Conference (2000)
Haag, P.: Watch your flows with nfsen and nfdump. In: 50th RIPE Meeting (2005)
HMS Industrial Networks: Feldbusse heute. http://www.feldbusse.de/trends/status-feldbusse.shtml (2016). Accessed 08 Dec 2016
HMS Industrial Networks: Variantenvielfalt bei Kommunikationssystemen. http://www.feldbusse.de/Trends/trends.shtml (2016). Accessed 08 Dec 2016
IEC: 61158-6-10 Industrial Communication Networks—Fieldbus Specifications—Part 6–10: Application Layer Protocol Specification—Type 10 Elements. Standard, International Electrotechnical Commission, Geneva (2007)
IEC: 62443-1-1 Industrial Communication Networks—Network and System Security—Part 1–1: Terminology, Concepts and Models. International Electrotechnical Commission (IEC), Geneva (2009)
McHugh, J.: Sets, bags, and rock and roll. In: European Symposium on Research in Computer Security, pp. 407–422. Springer (2004)
McLaughlin, S., Konstantinou, C., Wang, X., Davi, L., Sadeghi, A.R., Maniatakos, M., Karri, R.: The cybersecurity landscape in industrial control systems. Proc. IEEE 104(5), 1039–1057 (2016)
Mo, Y., Sinopoli, B.: Secure control against replay attacks. In: 47th Annual Allerton Conference on Communication, Control, and Computing, 2009. Allerton 2009, pp. 911–918. IEEE (2009)
Paul, A., Schuster, F., Knig, H.: Towards the protection of industrial control systems: conclusions of a vulnerability analysis of profinet IO. In: Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA’13, pp. 160–176. Springer, Berlin (2013). https://doi.org/10.1007/978-3-642-39235-1_10
Pfrang, S., Kippe, J., Meier, D., Haas, C.: Design and architecture of an industrial IT security lab. In: Testbeds and Research Infrastructures for the Development of Networks and Communities, pp. 114–123. Springer (2016)
Pfrang, S., Meier, D.: On the detection of replay attacks in industrial automation networks operated with profinet IO. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy, pp. 683–693 (2017). https://doi.org/10.5220/0006288106830693
Pfrang, S., Meier, D., Kautz, V.: Towards a modular security testing framework for industrial automation and control systems: Isutest. In: Proceedings of the 22nd IEEE International Conference on Emerging Technologies and Factory Automation, ETFA 2017 (2017)
Popp, M.: Industrial Communication with PROFINET. PROFIBUS Nutzerorganisation e.V., Karlsruhe (2014)
Roesch, M., et al.: Snort: lightweight intrusion detection for networks. In: LISA, vol. 99, pp. 229–238 (1999)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Pfrang, S., Meier, D. Detecting and preventing replay attacks in industrial automation networks operated with profinet IO. J Comput Virol Hack Tech 14, 253–268 (2018). https://doi.org/10.1007/s11416-018-0315-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-018-0315-0