[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3140241.3140254acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

On the Significance of Process Comprehension for Conducting Targeted ICS Attacks

Published: 03 November 2017 Publication History

Abstract

The exploitation of Industrial Control Systems (ICSs) has been described as both easy and impossible, where is the truth? PostStuxnet works have included a plethora of ICS focused cyber security research activities, with topics covering device maturity, network protocols, and overall cyber security culture. We often hear the notion of ICSs being highly vulnerable due to a lack of inbuilt security mechanisms, considered a low hanging fruit to a variety of low skilled threat actors. While there is substantial evidence to support such a notion, when considering targeted attacks on ICS, it is hard to believe an attacker with limited resources, such as a script kiddie or hacktivist, using publicly accessible tools and exploits alone, would have adequate knowledge and resources to achieve targeted operational process manipulation, while simultaneously evade detection. Through use of a testbed environment, this paper provides two practical examples based on a Man-In-The-Middle scenario, demonstrating the types of information an attacker would need obtain, collate, and comprehend, in order to begin targeted process manipulation and detection avoidance. This allows for a clearer view of associated challenges, and illustrate why targeted ICS exploitation might not be possible for every malicious actor.

References

[1]
Ali Abbasi and Majid Hashemi. 2016. Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack. Black Hat Europe (2016).
[2]
Ali Abbasi, Jos Wetzels, Wouter Bokslag, Emmanuele Zambon, and Sandro Etalle. 2014. On Emulation-Based Network Intrusion Detection Systems. In Research in Attacks, Intrusions and Defenses. Springer, 384--404.
[3]
Michael J. Assante and Robert Lee. 2015. The Industrial Control System Cyber Kill Chain. Technical Report.
[4]
Dillon Beresford. 2011. Exploiting Siemens Simatic S7 PLCs. In Black Hat USA.
[5]
Dillon Beresford. 2017. Siemens Simatic S7-300 - PLC Remote Memory Viewer (Metasploit). (2017). https://www.exploit-db.com/exploits/19832/
[6]
Jonathan Butts and Sujeet Shenoi. 2013. Critical Infrastructure Protection VII. Springer, Washington DC.
[7]
CPNI. 2017. Critical National Infrastructure. (2017). https://www.cpni.gov.uk/critical-national-infrastructure-0
[8]
DigitalBond. 2012. 3S CoDeSys, Project Basecamp. (2012). http://www.digitalbond.com/tools/basecamp/3s-codesys/
[9]
Ettercap Project. 2017. Ettercap - About. (2017). https://ettercap.github.io/ettercap/about.html
[10]
Prosenjit Ghosh, Pritpal Singh Hira, and Shelly Garg. 2013. A method to make SoC verification independent of pin multiplexing change. In Computer Communication and Informatics (ICCCI), International Conference on. 1--6.
[11]
Benjamin Green, David Hutchison, Sylvain Andre Francis Frey, and Awais Rashid. 2016. Testbed diversity as a fundamental principle for effective ICS security research. In SERECIN.
[12]
Benjamin Green, Marina Krotofil, and David Hutchison. 2016. Achieving ics resilience and security through granular data flow management. In Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy. ACM, 93--101.
[13]
Benjamin Green, Anhtuan Lee, Rob Antrobus, Utz Roedig, David Hutchison, and Awais Rashid. 2017. Pains, Gains and PLCs: Ten Lessons from Building an Industrial Control Systems Testbed for Security Research. In 10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 17). USENIX Association.
[14]
Benjamin Green, Daniel Prince, Jerry Busby, and David Hutchison. 2015. The impact of social engineering on Industrial Control System security. In Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy. ACM, 23--29.
[15]
ICS-CERT. 2012. ABB AC500 PLC Web Server Buffer Overflow Vulnerability. (2012). https://ics-cert.us-cert.gov/advisories/ICSA-12-320-01
[16]
ICS-CERT. 2012. Schneider Electric Modicon Quantum Vulnerabilities (Update . (2012). https://ics-cert.us-cert.gov/alerts/ICS-ALERT-12-020-03B
[17]
ICS-CERT. 2014. Schneider Electric Modicon Quantum Vulnerabilities (Update . (2014). https://ics-cert.us-cert.gov/alerts/ICS-ALERT-12-020-03B
[18]
ICS-CERT. 2015. Schneider Electric Modicon M340 Buffer Overflow. (2015). https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01
[19]
ICS-CERT. 2015. Yokogawa Multiple Products Buffer Overflow Vulnerabilities. (2015). https://ics-cert.us-cert.gov/advisories/ICSA-15-253-01
[20]
ICS-CERT. 2016. Rockwell Automation MicroLogix 1100 PLC Overflow Vulnerability. (2016). https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02
[21]
BooJoong Kang, Peter Maynard, Kieran McLaughlin, Sakir Sezer, Filip Andrén, Christian Seitl, Friederich Kupzog, and Thomas Strasser. 2015. Investigating cyber-physical attacks against iec 61850 photovoltaic inverter installations. In Emerging Technologies & Factory Automation (ETFA), 2015 IEEE 20th Conference on. IEEE, 1--8.
[22]
Kernel.org. [n. d.]. Pin Control Subsystem in Linux. ([n. d.]). https://www.kernel.org/doc/Documentation/pinctrl.txt
[23]
Robert M. Lee, Michael J. Assante, and Tim Conway. 2016. Analysis of the cyber attack on the Ukrainian power grid. Technical Report. http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC
[24]
Munir Majdalawieh, Francesco Parisi-Presicce, and Duminda Wijesekera. 2007. DNPSec: Distributed network protocol version 3 (DNP3) security framework. In Advances in Computer, Information, and Systems Sciences, and Engineering. Springer, 227--234.
[25]
Peter Maynard, Kieran McLaughlin, and Berthold Haberler. 2014. Towards understanding man-in-the-middle attacks on iec 60870-5-104 scada networks. In Proceedings of the 2nd International Symposium on ICS & SCADA Cyber Security Research 2014. BCS, 30--42.
[26]
Stephen McLaughlin and Patrick McDaniel. 2012. SABOT: Specification-based Payload Generation for Programmable Logic Controllers. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS '12). ACM, New York, NY, USA, 439--449. https://doi.org/10.1145/2382196.2382244
[27]
Stephen E. McLaughlin. 2011. On Dynamic Malware Payloads Aimed at Programmable Logic Controllers. In HotSec.
[28]
Nmap.org. 2013. Nmap - Free Security Scanner For Network Exploration & Security Audits. (2013). http://nmap.org/
[29]
Ben Paske, Ben Green, Dan Prince, and David Hutchison. 2014. Design and Construction of an Industrial Control System Testbed. In PGNET. 151--156.
[30]
PLCScan. 2013. PLCScan - PLC Devices Scanner. (2013). https://code.google.com/p/plcscan/
[31]
Snap7. 2016. Snap7 - Overview. (2016). http://snap7.sourceforge.net/
[32]
Ralf Spenneberg, Maik Brüggemann, and Hendrik Schwartke. 2016. PLC-Blaster: A Worm Living Solely in the PLC. (2016).
[33]
Anurag Srivastava, Thomas Morris, Timothy Ernster, Ceeman Vellaithurai, Shengyi Pan, and Uttam Adhikari. 2013. Modeling cyber-physical vulnerability of the smart grid with incomplete information. IEEE Transactions on Smart Grid 4, 1 (2013), 235--244.
[34]
Aaron Turner. 2017. Tcpreplay. (2017). https://github.com/appneta/tcpreplay
[35]
David Urbina, Jairo Giraldo, Nils Ole Tippenhauer, and Alvaro Cardenas. 2016. Attacking fieldbus communications in ICS: Applications to the SWaT testbed. Cryptology and Information Security Series, Vol. 14. 75--89.
[36]
Wireshark.org. 2016. About Wireshark. (2016). https://www.wireshark.org/
[37]
Yi Yang, Kieran McLaughlin, Timothy Littler, Sakir Sezer, Eul Gyu Im, Z. Q. Yao, B Pranggono, and H. F. Wang. 2012. Man-in-the-middle attack test-bed investigating cyber-security vulnerabilities in smart grid SCADA systems. (2012).

Cited By

View all
  • (2024)SoK: A Reality Check for DNP3 Attacks 15 Years LaterSmart Cities10.3390/smartcities70601547:6(3983-4001)Online publication date: 14-Dec-2024
  • (2024)Security Assessment of Industrial Control System Applying Reinforcement LearningProcesses10.3390/pr1204080112:4(801)Online publication date: 16-Apr-2024
  • (2024)"If You Build it, They will Come" - A Blueprint for ICS-focused Capture-The-Flag CompetitionsProceedings of the Sixth Workshop on CPS&IoT Security and Privacy10.1145/3690134.3694818(27-40)Online publication date: 19-Nov-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
CPS '17: Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy
November 2017
146 pages
ISBN:9781450353946
DOI:10.1145/3140241
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. ics
  2. mitm
  3. ot
  4. reconnaissance
  5. scada

Qualifiers

  • Research-article

Conference

CCS '17
Sponsor:

Acceptance Rates

CPS '17 Paper Acceptance Rate 8 of 10 submissions, 80%;
Overall Acceptance Rate 53 of 66 submissions, 80%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)46
  • Downloads (Last 6 weeks)5
Reflects downloads up to 19 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)SoK: A Reality Check for DNP3 Attacks 15 Years LaterSmart Cities10.3390/smartcities70601547:6(3983-4001)Online publication date: 14-Dec-2024
  • (2024)Security Assessment of Industrial Control System Applying Reinforcement LearningProcesses10.3390/pr1204080112:4(801)Online publication date: 16-Apr-2024
  • (2024)"If You Build it, They will Come" - A Blueprint for ICS-focused Capture-The-Flag CompetitionsProceedings of the Sixth Workshop on CPS&IoT Security and Privacy10.1145/3690134.3694818(27-40)Online publication date: 19-Nov-2024
  • (2024)Dead Man’s PLC: Towards Viable Cyber Extortion for Operational TechnologyDigital Threats: Research and Practice10.1145/36706955:3(1-24)Online publication date: 20-Jun-2024
  • (2024)Research on network security situation awareness technology for new energy power plantsEighth International Conference on Energy System, Electricity, and Power (ESEP 2023)10.1117/12.3025102(455)Online publication date: 13-May-2024
  • (2024)These are Not the PLCs You are Looking for: Obfuscating PLCs to Mimic HoneypotsIEEE Transactions on Network and Service Management10.1109/TNSM.2024.336191521:3(3623-3635)Online publication date: Jun-2024
  • (2024)A Tale of Two Industroyers: It was the Season of Darkness2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00162(312-330)Online publication date: 19-May-2024
  • (2024)A Methodology to Measure the “Cost” of CPS Attacks: Not all CPS Networks are Created Equal2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00019(112-129)Online publication date: 8-Jul-2024
  • (2024)Physics-aware targeted attacks against maritime industrial control systemsJournal of Information Security and Applications10.1016/j.jisa.2024.10372482(103724)Online publication date: May-2024
  • (2023)Blind Concealment from Reconstruction-based Attack Detectors for Industrial Control Systems via Backdoor AttacksProceedings of the 9th ACM Cyber-Physical System Security Workshop10.1145/3592538.3594271(36-47)Online publication date: 10-Jul-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media