Abstract
Industrial control system malware campaigns, such as BlackEnergy and Dragonfly, targeted electrical substations at various ranges relative to the computers that pushed the attacks into substation relays after being infected. Worm-like propagation of industrial control system malware in the Internet traverses paths along computers that may be far from their target, and that often are completely unrelated to power grid functions. Industrial control system malware hop from computer to computer until landing on one that has access to a target industrial environment. Industrial control system malware enabled by spear-phishing or website redirection attacks exploit web browser vulnerabilities coupled with human factors of energy company personnel. Watering hole attacks cause the installation of industrial control system malware on the computers of power grid operators, and sometimes even on the protective relays of an electrical substation. In this chapter we present a line of work that creates and operates industrial mirages, i.e., phantom substation targets for industrial control system malware to pursue, to intercept such malware bound for the power grid. The discussion focuses on decoy I/O. We also generally describe other key elements of industrial mirage at large, and explain how decoy I/O and those elements work together as integral components of the industrial mirage capability. Industrial mirage is able to actively redirect industrial control system malware to decoys, and can sustain prolonged interaction with such malware. We validated this line of work against numerous malware samples involved in recent industrial control system malware campaigns.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ICS-CERT: Cyber-attack against Ukrainian critical infrastructure. Available online at https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01
Lee RM, Assante J, Conway T (2016) Analysis of the cyber attack on the Ukrainian power grid. Defense use case white paper. Available online at https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
Symantec (2014) Dragonfly: cyberespionage attacks against energy suppliers. Available online at https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
Lezi S (2014) Scanderbeg, the hero of Europe. CreateSpace Independent Publishing Platform, Scotts Valley
Falliere N, Murchu LO, Chien E (2011) W32.Stuxnet Dossier. Symantec security response, version 1.4. Available online at http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Siemens: What properties, advantages and special features does the S7 protocol offer? Available online at https://support.industry.siemens.com/cs/document/26483647/what-properties-advantages-and-special-features-does-the-s7-protocol/-offer-?dti=0&lc=en-WW
Homan J, McBride S, Caldwell R (2016) IronGate ICS malware – Nothing to see here…Masking malicious activity on SCADA systems. FireEye threat research Blog. Available online at https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html
Buza DI, Juhasz F, Miru G, Felegyhazi M, Holczer T (2014) CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot. Smart grid security, vol 8448. Springer, Berlin, pp 181–192
Rist L, Vestergaard J, Haslinger D, De Pasquale A, Smith J, CONPOT ICS/SCADA honeypot. Available online at http://conpot.org
Vollmer T, Manic M (2014) Cyber-physical system security with deceptive virtual hosts for industrial control networks. IEEE Trans Ind Inf 10(2):1337–1347
International Electrotechnical Commission (2004) IEC 61850 – Communication Networks and Systems in Substations, parts 1 through 9
Rrushi J (2011) An exploration of defensive deception in industrial communication networks. Int J Crit Infrastruct Prot 4(1):66–75
Rrushi J (2016) NIC displays to thwart malware attacks mounted from within the OS. J Comput Secur 61(C):59–71
Simms S, Maxwell M, Johnson S, Rrushi J (2017) Keylogger detection using a decoy keyboard. In: Proceedings of the 31st Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Philadelphia. Springer, Cham
Rrushi J, DNIC architectural developments for 0-Knowledge detection of OPC malware. Currently in the second round of review at IEEE Trans Dependable Secure Comput
Lange J, Iwanitz F, Burke T (2010) OPC – from data access to unified architecture, 4th edn. VDE Verlag GmbH, Berlin
International Organization for Standardization, Technical Committee 184: manufacturing message specification. Available online at https://www.iso.org
RTDS Technologies: real time digital power simulator. Available online at https://www.rtds.com
Strogatz SH (2014) Nonlinear dynamics and chaos – with applications to physics, biology, chemistry, and engineering, 2nd edn. Westview Press, Boulder
Ott E (2002) Chaos in dynamical systems, 2nd edn. Cambridge University Press, Cambridge
Ott E, Grebogi C, Yorke JA (1990) Controlling chaos. Phys Rev Lett 64(1196):1196–1199
Romeiras F, Grebogi C, Ott E, Dayawansa WP (1992) Controlling chaotic dynamical systems. Phys D 58(165):165–192
Searcy W, Nowicki S (2005) The evolution of animal communication – reliability and deception in signaling systems. Princeton University Press, Princeton
Goldberg DE (1989) Genetic algorithms in search, optimization and machine learning. Kluwer Academic Publishers, Boston
Brogan WL (1990) Modern control theory, 3rd edn. Prentice-Hall, Upper Saddle River
Simon D (2006) Optimal state estimation – Kalman H infinity, and nonlinear approaches, 1st edn. Wiley-Interscience, Hoboken
Fridrich J (2009) Steganography in digital media – principles, algorithms, and applications, 1st edn. Cambridge University Press, Cambridge
The Apache Software Foundation: Apache Hadoop. Available online at http://hadoop.apache.org
The Apache Software Foundation: MapReduce. Available online at https://hadoop.apache.org/docs/r1.2.1/mapred_tutorial.html
Lie D, Thekkath CA, Mitchell M, Lincoln P, Boneh D, Mitchell JC, Horowitz M (2000) Architectural support for copy and tamper resistant software. In: Architectural Support for Programming Languages and Operating Systems (ASPLOS IX). ACM, New York, pp 168–177
Chen B, Morris R (2003) Certifying program execution with secure processors. In: Proceedings of the Usenix Workshop on Hot Topics in Operating Systems. Lihue, Hawaii
DNP Technical committee: distributed network protocol. Available online at https://www.dnp.org
Acknowledgements
This research is sponsored by the Air Force Office of Scientific Research and the U.S. Air Force Academy Center for Cyberspace Research under agreement number FA7000-16-2-0002. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation thereon.
The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Air Force, Department of Defense, or the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Rrushi, J.L. (2019). Multi-range Decoy I/O Defense of Electrical Substations Against Industrial Control System Malware. In: Flammini, F. (eds) Resilience of Cyber-Physical Systems. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-319-95597-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-95597-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-95596-4
Online ISBN: 978-3-319-95597-1
eBook Packages: Computer ScienceComputer Science (R0)