Resilience of Cyber-Physical Systems pp 151-175 | Cite as
Multi-range Decoy I/O Defense of Electrical Substations Against Industrial Control System Malware
Abstract
Industrial control system malware campaigns, such as BlackEnergy and Dragonfly, targeted electrical substations at various ranges relative to the computers that pushed the attacks into substation relays after being infected. Worm-like propagation of industrial control system malware in the Internet traverses paths along computers that may be far from their target, and that often are completely unrelated to power grid functions. Industrial control system malware hop from computer to computer until landing on one that has access to a target industrial environment. Industrial control system malware enabled by spear-phishing or website redirection attacks exploit web browser vulnerabilities coupled with human factors of energy company personnel. Watering hole attacks cause the installation of industrial control system malware on the computers of power grid operators, and sometimes even on the protective relays of an electrical substation. In this chapter we present a line of work that creates and operates industrial mirages, i.e., phantom substation targets for industrial control system malware to pursue, to intercept such malware bound for the power grid. The discussion focuses on decoy I/O. We also generally describe other key elements of industrial mirage at large, and explain how decoy I/O and those elements work together as integral components of the industrial mirage capability. Industrial mirage is able to actively redirect industrial control system malware to decoys, and can sustain prolonged interaction with such malware. We validated this line of work against numerous malware samples involved in recent industrial control system malware campaigns.
Keywords
Industrial control systems Malware Defensive deception.Notes
Acknowledgements
This research is sponsored by the Air Force Office of Scientific Research and the U.S. Air Force Academy Center for Cyberspace Research under agreement number FA7000-16-2-0002. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation thereon.
The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Air Force, Department of Defense, or the U.S. Government.
References
- 1.ICS-CERT: Cyber-attack against Ukrainian critical infrastructure. Available online at https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01
- 2.Lee RM, Assante J, Conway T (2016) Analysis of the cyber attack on the Ukrainian power grid. Defense use case white paper. Available online at https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf Google Scholar
- 3.Symantec (2014) Dragonfly: cyberespionage attacks against energy suppliers. Available online at https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
- 4.Lezi S (2014) Scanderbeg, the hero of Europe. CreateSpace Independent Publishing Platform, Scotts ValleyGoogle Scholar
- 5.Falliere N, Murchu LO, Chien E (2011) W32.Stuxnet Dossier. Symantec security response, version 1.4. Available online at http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
- 6.Siemens: What properties, advantages and special features does the S7 protocol offer? Available online at https://support.industry.siemens.com/cs/document/26483647/what-properties-advantages-and-special-features-does-the-s7-protocol/-offer-?dti=0&lc=en-WW
- 7.Homan J, McBride S, Caldwell R (2016) IronGate ICS malware – Nothing to see here…Masking malicious activity on SCADA systems. FireEye threat research Blog. Available online at https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html Google Scholar
- 8.Buza DI, Juhasz F, Miru G, Felegyhazi M, Holczer T (2014) CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot. Smart grid security, vol 8448. Springer, Berlin, pp 181–192Google Scholar
- 9.Rist L, Vestergaard J, Haslinger D, De Pasquale A, Smith J, CONPOT ICS/SCADA honeypot. Available online at http://conpot.org
- 10.Vollmer T, Manic M (2014) Cyber-physical system security with deceptive virtual hosts for industrial control networks. IEEE Trans Ind Inf 10(2):1337–1347CrossRefGoogle Scholar
- 11.International Electrotechnical Commission (2004) IEC 61850 – Communication Networks and Systems in Substations, parts 1 through 9Google Scholar
- 12.Rrushi J (2011) An exploration of defensive deception in industrial communication networks. Int J Crit Infrastruct Prot 4(1):66–75CrossRefGoogle Scholar
- 13.Rrushi J (2016) NIC displays to thwart malware attacks mounted from within the OS. J Comput Secur 61(C):59–71CrossRefGoogle Scholar
- 14.Simms S, Maxwell M, Johnson S, Rrushi J (2017) Keylogger detection using a decoy keyboard. In: Proceedings of the 31st Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Philadelphia. Springer, ChamCrossRefGoogle Scholar
- 15.Rrushi J, DNIC architectural developments for 0-Knowledge detection of OPC malware. Currently in the second round of review at IEEE Trans Dependable Secure ComputGoogle Scholar
- 16.Lange J, Iwanitz F, Burke T (2010) OPC – from data access to unified architecture, 4th edn. VDE Verlag GmbH, BerlinGoogle Scholar
- 17.International Organization for Standardization, Technical Committee 184: manufacturing message specification. Available online at https://www.iso.org
- 18.RTDS Technologies: real time digital power simulator. Available online at https://www.rtds.com
- 19.Strogatz SH (2014) Nonlinear dynamics and chaos – with applications to physics, biology, chemistry, and engineering, 2nd edn. Westview Press, BoulderzbMATHGoogle Scholar
- 20.Ott E (2002) Chaos in dynamical systems, 2nd edn. Cambridge University Press, CambridgeCrossRefGoogle Scholar
- 21.Ott E, Grebogi C, Yorke JA (1990) Controlling chaos. Phys Rev Lett 64(1196):1196–1199MathSciNetCrossRefGoogle Scholar
- 22.Romeiras F, Grebogi C, Ott E, Dayawansa WP (1992) Controlling chaotic dynamical systems. Phys D 58(165):165–192MathSciNetCrossRefGoogle Scholar
- 23.Searcy W, Nowicki S (2005) The evolution of animal communication – reliability and deception in signaling systems. Princeton University Press, PrincetonGoogle Scholar
- 24.Goldberg DE (1989) Genetic algorithms in search, optimization and machine learning. Kluwer Academic Publishers, BostonzbMATHGoogle Scholar
- 25.Brogan WL (1990) Modern control theory, 3rd edn. Prentice-Hall, Upper Saddle RiverzbMATHGoogle Scholar
- 26.Simon D (2006) Optimal state estimation – Kalman H infinity, and nonlinear approaches, 1st edn. Wiley-Interscience, HobokenCrossRefGoogle Scholar
- 27.Fridrich J (2009) Steganography in digital media – principles, algorithms, and applications, 1st edn. Cambridge University Press, CambridgeCrossRefGoogle Scholar
- 28.The Apache Software Foundation: Apache Hadoop. Available online at http://hadoop.apache.org
- 29.The Apache Software Foundation: MapReduce. Available online at https://hadoop.apache.org/docs/r1.2.1/mapred_tutorial.html
- 30.Lie D, Thekkath CA, Mitchell M, Lincoln P, Boneh D, Mitchell JC, Horowitz M (2000) Architectural support for copy and tamper resistant software. In: Architectural Support for Programming Languages and Operating Systems (ASPLOS IX). ACM, New York, pp 168–177Google Scholar
- 31.Chen B, Morris R (2003) Certifying program execution with secure processors. In: Proceedings of the Usenix Workshop on Hot Topics in Operating Systems. Lihue, HawaiiGoogle Scholar
- 32.DNP Technical committee: distributed network protocol. Available online at https://www.dnp.org