Multi-range Decoy I/O Defense of Electrical Substations Against Industrial Control System Malware
Industrial control system malware campaigns, such as BlackEnergy and Dragonfly, targeted electrical substations at various ranges relative to the computers that pushed the attacks into substation relays after being infected. Worm-like propagation of industrial control system malware in the Internet traverses paths along computers that may be far from their target, and that often are completely unrelated to power grid functions. Industrial control system malware hop from computer to computer until landing on one that has access to a target industrial environment. Industrial control system malware enabled by spear-phishing or website redirection attacks exploit web browser vulnerabilities coupled with human factors of energy company personnel. Watering hole attacks cause the installation of industrial control system malware on the computers of power grid operators, and sometimes even on the protective relays of an electrical substation. In this chapter we present a line of work that creates and operates industrial mirages, i.e., phantom substation targets for industrial control system malware to pursue, to intercept such malware bound for the power grid. The discussion focuses on decoy I/O. We also generally describe other key elements of industrial mirage at large, and explain how decoy I/O and those elements work together as integral components of the industrial mirage capability. Industrial mirage is able to actively redirect industrial control system malware to decoys, and can sustain prolonged interaction with such malware. We validated this line of work against numerous malware samples involved in recent industrial control system malware campaigns.
KeywordsIndustrial control systems Malware Defensive deception.
This research is sponsored by the Air Force Office of Scientific Research and the U.S. Air Force Academy Center for Cyberspace Research under agreement number FA7000-16-2-0002. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation thereon.
The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Air Force, Department of Defense, or the U.S. Government.
- 1.ICS-CERT: Cyber-attack against Ukrainian critical infrastructure. Available online at https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01
- 2.Lee RM, Assante J, Conway T (2016) Analysis of the cyber attack on the Ukrainian power grid. Defense use case white paper. Available online at https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf Google Scholar
- 3.Symantec (2014) Dragonfly: cyberespionage attacks against energy suppliers. Available online at https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
- 4.Lezi S (2014) Scanderbeg, the hero of Europe. CreateSpace Independent Publishing Platform, Scotts ValleyGoogle Scholar
- 5.Falliere N, Murchu LO, Chien E (2011) W32.Stuxnet Dossier. Symantec security response, version 1.4. Available online at http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
- 6.Siemens: What properties, advantages and special features does the S7 protocol offer? Available online at https://support.industry.siemens.com/cs/document/26483647/what-properties-advantages-and-special-features-does-the-s7-protocol/-offer-?dti=0&lc=en-WW
- 7.Homan J, McBride S, Caldwell R (2016) IronGate ICS malware – Nothing to see here…Masking malicious activity on SCADA systems. FireEye threat research Blog. Available online at https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html Google Scholar
- 8.Buza DI, Juhasz F, Miru G, Felegyhazi M, Holczer T (2014) CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot. Smart grid security, vol 8448. Springer, Berlin, pp 181–192Google Scholar
- 9.Rist L, Vestergaard J, Haslinger D, De Pasquale A, Smith J, CONPOT ICS/SCADA honeypot. Available online at http://conpot.org
- 11.International Electrotechnical Commission (2004) IEC 61850 – Communication Networks and Systems in Substations, parts 1 through 9Google Scholar
- 15.Rrushi J, DNIC architectural developments for 0-Knowledge detection of OPC malware. Currently in the second round of review at IEEE Trans Dependable Secure ComputGoogle Scholar
- 16.Lange J, Iwanitz F, Burke T (2010) OPC – from data access to unified architecture, 4th edn. VDE Verlag GmbH, BerlinGoogle Scholar
- 17.International Organization for Standardization, Technical Committee 184: manufacturing message specification. Available online at https://www.iso.org
- 18.RTDS Technologies: real time digital power simulator. Available online at https://www.rtds.com
- 23.Searcy W, Nowicki S (2005) The evolution of animal communication – reliability and deception in signaling systems. Princeton University Press, PrincetonGoogle Scholar
- 28.The Apache Software Foundation: Apache Hadoop. Available online at http://hadoop.apache.org
- 29.The Apache Software Foundation: MapReduce. Available online at https://hadoop.apache.org/docs/r1.2.1/mapred_tutorial.html
- 30.Lie D, Thekkath CA, Mitchell M, Lincoln P, Boneh D, Mitchell JC, Horowitz M (2000) Architectural support for copy and tamper resistant software. In: Architectural Support for Programming Languages and Operating Systems (ASPLOS IX). ACM, New York, pp 168–177Google Scholar
- 31.Chen B, Morris R (2003) Certifying program execution with secure processors. In: Proceedings of the Usenix Workshop on Hot Topics in Operating Systems. Lihue, HawaiiGoogle Scholar
- 32.DNP Technical committee: distributed network protocol. Available online at https://www.dnp.org