SlideShare a Scribd company logo

Man in the middle attacks on IEC 60870-5-104

P
pgmaynard

Man in the middle attacks on IEC 60870-5-104 http://dx.doi.org/10.14236/ewic/ics-csr2014.5

Technology
1 of 34
Download to read offline
Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530
2 Introduction ● Pete Maynard ● PhD Student ● CSIT Queen's University Belfast, UK ● Industrial Control System Security ● Partnership with PRECYSE
3 What I do ● Attacks on SCADA protocols – Replay, MITM, DoS ● Develop detection and prevention methods ● Anomaly detection via machine learning
4 PRECYSE ● European FP7 Project ● Prevention, protection and REaction to CYber attackS to critical infrastructurEs ● LINZ STROM GmbH (Electrical Distribution Operator)
5 Talk Overview ● What's SCADA Used for ● SCADA Threats ● Introduction IEC 104 ● Attacking IEC 104
6 What's SCADA Used for?
7 How is SCADA used [1] ● MODBUS, DNP3, IEC104, 61850, Profibus … [1] S. Mohagheghi, J. Stoupis, and Z. Wang. Communication protocols and networks for power systems-current status and future trends. In Power Systems Conference and Exposition, 2009. PSCE ’09. IEEE/PES, pages 1–9, March 2009.
8 What does it do? ● Telemetry control ● Change Settings ● Read/Write/Delete files and directories ● Update firmware
9 SCADA Threats
10 Attack Levels Level Example 1 Accident Misconfigured, Firmware Update 2 Novice Script kiddie, port scanning 3 Experienced Replay attack, basic knowledge 4 Advanced Stuxnet, ICS domain knowledge
11 Threats ● Havex Malware ● OPC to scan for SCADA devices ● Reports back to command and control server ● Recently detected July 2014 – European ICS – Team Since 2011 ● State sponsored?
12 Scanning for SCADA devices ● Readily available scanners – SCADA StrangeLove[1] ● Simple Python Script ● Return Device name, IP, software version [1] https://github.com/atimorin/scada-tools
13 SCADA Fuzzers ● Protocol Fuzzers ● Project Robus[1] – DNP3 – Identified many vulnerabilities ● Fuzzing can kill [1] http://www.automatak.com/robus/
14 Protocol Analysers
15 Introduction IEC 104
16 Introduction IEC 60870-5-104 ● International Electrotechnical Commission (IEC) ● IEC 60870 developed periodically between the years 1988 and 2000 ● 6 Main Parts and four companion sections ● Open Standard ● 60870-5-104 defines transmission over TCP/IP
17 IEC 60870-5-104 Security Issues ● Ported from serial links to TCP/IP ● No authentication ● No encryption ● Uses IP address white-list – Defined on the slave ● TLS encryption recommended – In practice not implemented
18 104 Payload ASDU
19 Attacking IEC 104
20 Capturing Packets ● SPAN Port ● DNS Poisoning ● Content Addressable Memory (CAM) table overflow ● ARP Spoofing
21 Replay Attack ● Novice level attack ● Capture and replay packets – Command, readings, alerts... ● Replayed packets dropped by kernel ● Tcpreplay alternatives to modify SEQ values
22 Man In the Middle Attack ● Intercept communications between two or more devices ● Modify and inject packets ● Many tools available – ettercap – cain and abel – DSniff
23 104 MITM Lab Experiment ● Modify Cause of transmission (CoT) field ● Intercept and set an invalid CoT value ● Detection with SNORT
24 Cause of Transmission ● CoT values can use the following number ranges: – 1-13 and 20-41 – 14-19 and 42-43 are reserved for future use.
25 Before and After Capture Before After
Rule alert tcp $104_CLIENT any -> $104_SERVER $104_PORTS (flow: established; content:"|68|"; offset:0; depth:1; pcre:"/[Ss]{5}(x2D|x2E|x2F|x30|x64|x65)/iAR"; content:!"|06|"; offset: 8; depth: 1; msg:"17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field"; classtype:bad-unknown; sid:6666617; rev:1; priority:2;) 26 SNORT Alert Alert [**] [1:6666617:1] 17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/09-14:06:10.462288 10.50.50.105:40734 -> 10.50.50.75:22 TCP TTL:64 TOS:0x0 ID:60033 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9A0C38A1 Ack: 0x0 Win: 0x3908 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1382076960 0 NOP WS: 7
27 Earth Fault ● Real world situation where an earth fault in the physical electrical grid occurs
28 Linz Test-bed
29 Operator View
30 104 MIM TestBed Environment ● Intercept value, so operators unable to view fault ● 104's Information Objects, M_SP_TB_1 stores the 'ON/OFF' value ● First bit of the SIQ is the SPI field, storing the ON/OFF value.
31 ON/OFF Value Modification Before After
32 Conclusion ● Attackers with varying skill levels can compromise SCADA systems – Man-In-The-Middle attacks hiding an earth fault ● New implementations of ICS need to take precautions ● Monitor logs, network, everything ● Enable attack mitigations
33 Future Work ● Identify features of the IEC104 protocol for anomaly detection ● Propose to develop an Anomaly Detection module for the IEC104 protocol – Detect similar network attacks ● Work on MITM attack for IEC 61850
34 Questions

Recommended

Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Modbus introduction
Modbus introductionModbus introduction
Modbus introductionPrem Sanil
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
ETAP - etap real-time overview
ETAP - etap real-time overviewETAP - etap real-time overview
ETAP - etap real-time overviewHimmelstern
 
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)Ming-Hung Hseih
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Fieldbus wiring guide
Fieldbus wiring guideFieldbus wiring guide
Fieldbus wiring guideMohamed A Hakim
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 

Recommended

Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Modbus introduction
Modbus introductionModbus introduction
Modbus introductionPrem Sanil
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
ETAP - etap real-time overview
ETAP - etap real-time overviewETAP - etap real-time overview
ETAP - etap real-time overviewHimmelstern
 
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)
[Advantech] Modbus protocol training (ModbusTCP, ModbusRTU)Ming-Hung Hseih
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Fieldbus wiring guide
Fieldbus wiring guideFieldbus wiring guide
Fieldbus wiring guideMohamed A Hakim
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
Overview Of I E C61850 Presentation..... W S M
Overview Of I E C61850 Presentation..... W S MOverview Of I E C61850 Presentation..... W S M
Overview Of I E C61850 Presentation..... W S Mginquesada
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
Modbus TCP/IP implementation in Siemens S7-300 PLC
Modbus TCP/IP implementation in Siemens S7-300 PLC Modbus TCP/IP implementation in Siemens S7-300 PLC
Modbus TCP/IP implementation in Siemens S7-300 PLC ITER-India, IPR
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Simatic getting-started-pcs7
Simatic getting-started-pcs7Simatic getting-started-pcs7
Simatic getting-started-pcs7ionut grozav
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Diameter based Interfaces and description
Diameter based Interfaces and descriptionDiameter based Interfaces and description
Diameter based Interfaces and descriptionManjeet Kaur
 
Iec104 gateway datasheet
Iec104 gateway datasheetIec104 gateway datasheet
Iec104 gateway datasheetvanquanglong
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)rjain51
 
HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna MohamedJafar5
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architectureijsrd.com
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyKarthikeyan Dhayalan
 
Guide to industrial control systems (ics) security
Guide to industrial control systems (ics) securityGuide to industrial control systems (ics) security
Guide to industrial control systems (ics) securityericv83
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementKarthikeyan Dhayalan
 
Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Arz Sy
 
Column Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerColumn Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerBehnam Mohammadi
 
Practical IIoT Solutions for Manufacturing
Practical IIoT Solutions for ManufacturingPractical IIoT Solutions for Manufacturing
Practical IIoT Solutions for ManufacturingInductive Automation
 
Basic Ups
Basic UpsBasic Ups
Basic UpsMahatma Gandhi Missions College of Engineering & Technology
 
Network security
Network securityNetwork security
Network securityChristalin Nelson
 
IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11Kevin Mahoney
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 

More Related Content

What's hot

Overview Of I E C61850 Presentation..... W S M
Overview Of I E C61850 Presentation..... W S MOverview Of I E C61850 Presentation..... W S M
Overview Of I E C61850 Presentation..... W S Mginquesada
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
Modbus TCP/IP implementation in Siemens S7-300 PLC
Modbus TCP/IP implementation in Siemens S7-300 PLC Modbus TCP/IP implementation in Siemens S7-300 PLC
Modbus TCP/IP implementation in Siemens S7-300 PLC ITER-India, IPR
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Simatic getting-started-pcs7
Simatic getting-started-pcs7Simatic getting-started-pcs7
Simatic getting-started-pcs7ionut grozav
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Diameter based Interfaces and description
Diameter based Interfaces and descriptionDiameter based Interfaces and description
Diameter based Interfaces and descriptionManjeet Kaur
 
Iec104 gateway datasheet
Iec104 gateway datasheetIec104 gateway datasheet
Iec104 gateway datasheetvanquanglong
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)rjain51
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architectureijsrd.com
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyKarthikeyan Dhayalan
 
Guide to industrial control systems (ics) security
Guide to industrial control systems (ics) securityGuide to industrial control systems (ics) security
Guide to industrial control systems (ics) securityericv83
 
Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Arz Sy
 
Column Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerColumn Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerBehnam Mohammadi
 
Practical IIoT Solutions for Manufacturing
Practical IIoT Solutions for ManufacturingPractical IIoT Solutions for Manufacturing
Practical IIoT Solutions for ManufacturingInductive Automation
 

What's hot (20)

Overview Of I E C61850 Presentation..... W S M
Overview Of I E C61850 Presentation..... W S MOverview Of I E C61850 Presentation..... W S M
Overview Of I E C61850 Presentation..... W S M
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
 
Modbus TCP/IP implementation in Siemens S7-300 PLC
Modbus TCP/IP implementation in Siemens S7-300 PLC Modbus TCP/IP implementation in Siemens S7-300 PLC
Modbus TCP/IP implementation in Siemens S7-300 PLC
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Simatic getting-started-pcs7
Simatic getting-started-pcs7Simatic getting-started-pcs7
Simatic getting-started-pcs7
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
Diameter based Interfaces and description
Diameter based Interfaces and descriptionDiameter based Interfaces and description
Diameter based Interfaces and description
 
Iec104 gateway datasheet
Iec104 gateway datasheetIec104 gateway datasheet
Iec104 gateway datasheet
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architecture
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
 
Guide to industrial control systems (ics) security
Guide to industrial control systems (ics) securityGuide to industrial control systems (ics) security
Guide to industrial control systems (ics) security
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer)
 
Column Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerColumn Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL Server
 
Practical IIoT Solutions for Manufacturing
Practical IIoT Solutions for ManufacturingPractical IIoT Solutions for Manufacturing
Practical IIoT Solutions for Manufacturing
 
Basic Ups
Basic UpsBasic Ups
Basic Ups
 
Network security
Network securityNetwork security
Network security
 

Viewers also liked

IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11Kevin Mahoney
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Man in the Middle Atack
Man in the Middle AtackMan in the Middle Atack
Man in the Middle AtackSDU CYBERLAB
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityCasey Dunham
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on BanksMarko Elezović
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
InduSoft Web Studio and DNP3
InduSoft Web Studio and DNP3InduSoft Web Studio and DNP3
InduSoft Web Studio and DNP3AVEVA
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsLiving Online
 
IEC104规约介绍
IEC104规约介绍IEC104规约介绍
IEC104规约介绍Chen Ray
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...Sarah Jiffry
 
Practical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & TechniciansPractical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & TechniciansLiving Online
 
Password sniffing
Password sniffingPassword sniffing
Password sniffingSRIMCA
 
Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)Nikandrov Maxim
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 

Viewers also liked (20)

IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
IEC-61850
IEC-61850IEC-61850
IEC-61850
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Man in the Middle Atack
Man in the Middle AtackMan in the Middle Atack
Man in the Middle Atack
 
man in the middle
man in the middleman in the middle
man in the middle
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-Security
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on Banks
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Man In The Middle
Man In The MiddleMan In The Middle
Man In The Middle
 
InduSoft Web Studio and DNP3
InduSoft Web Studio and DNP3InduSoft Web Studio and DNP3
InduSoft Web Studio and DNP3
 
Practical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA SystemsPractical DNP3 and Modern SCADA Systems
Practical DNP3 and Modern SCADA Systems
 
IEC104规约介绍
IEC104规约介绍IEC104规约介绍
IEC104规约介绍
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
 
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
 
Practical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & TechniciansPractical IEC 61850 for Substation Automation for Engineers & Technicians
Practical IEC 61850 for Substation Automation for Engineers & Technicians
 
Password sniffing
Password sniffingPassword sniffing
Password sniffing
 
Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)Cyber Security in Substation Automation (IEC 61850)
Cyber Security in Substation Automation (IEC 61850)
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
 

Similar to Man in the middle attacks on IEC 60870-5-104

Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяEkaterina Melnik
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSVipin Varghese
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...aaajjj4
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadBrain IoT Project
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadBrain IoT Project
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887whendygarcia
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017Jian-Hong Pan
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentationSS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentationVEDLIoT Project
 
Gas leakage detection system
Gas leakage detection systemGas leakage detection system
Gas leakage detection systemAashiq Ahamed N
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 

Similar to Man in the middle attacks on IEC 60870-5-104 (20)

Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
[IJET-V1I3P17] Authors :Prof. U. R. More. S. R. Adhav
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDS
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges Ahead
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Virtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges AheadVirtual Twins: Modeling Trends and Challenges Ahead
Virtual Twins: Modeling Trends and Challenges Ahead
 
Datasheet PIC16f887
Datasheet PIC16f887Datasheet PIC16f887
Datasheet PIC16f887
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentationSS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
SS-CPSIoT 2023_Kevin Mika and Piotr Zierhoffer presentation
 
Gas leakage detection system
Gas leakage detection systemGas leakage detection system
Gas leakage detection system
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

Man in the middle attacks on IEC 60870-5-104

  • 1. Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530
  • 2. 2 Introduction ● Pete Maynard ● PhD Student ● CSIT Queen's University Belfast, UK ● Industrial Control System Security ● Partnership with PRECYSE
  • 3. 3 What I do ● Attacks on SCADA protocols – Replay, MITM, DoS ● Develop detection and prevention methods ● Anomaly detection via machine learning
  • 4. 4 PRECYSE ● European FP7 Project ● Prevention, protection and REaction to CYber attackS to critical infrastructurEs ● LINZ STROM GmbH (Electrical Distribution Operator)
  • 5. 5 Talk Overview ● What's SCADA Used for ● SCADA Threats ● Introduction IEC 104 ● Attacking IEC 104
  • 6. 6 What's SCADA Used for?
  • 7. 7 How is SCADA used [1] ● MODBUS, DNP3, IEC104, 61850, Profibus … [1] S. Mohagheghi, J. Stoupis, and Z. Wang. Communication protocols and networks for power systems-current status and future trends. In Power Systems Conference and Exposition, 2009. PSCE ’09. IEEE/PES, pages 1–9, March 2009.
  • 8. 8 What does it do? ● Telemetry control ● Change Settings ● Read/Write/Delete files and directories ● Update firmware
  • 10. 10 Attack Levels Level Example 1 Accident Misconfigured, Firmware Update 2 Novice Script kiddie, port scanning 3 Experienced Replay attack, basic knowledge 4 Advanced Stuxnet, ICS domain knowledge
  • 11. 11 Threats ● Havex Malware ● OPC to scan for SCADA devices ● Reports back to command and control server ● Recently detected July 2014 – European ICS – Team Since 2011 ● State sponsored?
  • 12. 12 Scanning for SCADA devices ● Readily available scanners – SCADA StrangeLove[1] ● Simple Python Script ● Return Device name, IP, software version [1] https://github.com/atimorin/scada-tools
  • 13. 13 SCADA Fuzzers ● Protocol Fuzzers ● Project Robus[1] – DNP3 – Identified many vulnerabilities ● Fuzzing can kill [1] http://www.automatak.com/robus/
  • 16. 16 Introduction IEC 60870-5-104 ● International Electrotechnical Commission (IEC) ● IEC 60870 developed periodically between the years 1988 and 2000 ● 6 Main Parts and four companion sections ● Open Standard ● 60870-5-104 defines transmission over TCP/IP
  • 17. 17 IEC 60870-5-104 Security Issues ● Ported from serial links to TCP/IP ● No authentication ● No encryption ● Uses IP address white-list – Defined on the slave ● TLS encryption recommended – In practice not implemented
  • 20. 20 Capturing Packets ● SPAN Port ● DNS Poisoning ● Content Addressable Memory (CAM) table overflow ● ARP Spoofing
  • 21. 21 Replay Attack ● Novice level attack ● Capture and replay packets – Command, readings, alerts... ● Replayed packets dropped by kernel ● Tcpreplay alternatives to modify SEQ values
  • 22. 22 Man In the Middle Attack ● Intercept communications between two or more devices ● Modify and inject packets ● Many tools available – ettercap – cain and abel – DSniff
  • 23. 23 104 MITM Lab Experiment ● Modify Cause of transmission (CoT) field ● Intercept and set an invalid CoT value ● Detection with SNORT
  • 24. 24 Cause of Transmission ● CoT values can use the following number ranges: – 1-13 and 20-41 – 14-19 and 42-43 are reserved for future use.
  • 25. 25 Before and After Capture Before After
  • 26. Rule alert tcp $104_CLIENT any -> $104_SERVER $104_PORTS (flow: established; content:"|68|"; offset:0; depth:1; pcre:"/[Ss]{5}(x2D|x2E|x2F|x30|x64|x65)/iAR"; content:!"|06|"; offset: 8; depth: 1; msg:"17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field"; classtype:bad-unknown; sid:6666617; rev:1; priority:2;) 26 SNORT Alert Alert [**] [1:6666617:1] 17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/09-14:06:10.462288 10.50.50.105:40734 -> 10.50.50.75:22 TCP TTL:64 TOS:0x0 ID:60033 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9A0C38A1 Ack: 0x0 Win: 0x3908 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1382076960 0 NOP WS: 7
  • 27. 27 Earth Fault ● Real world situation where an earth fault in the physical electrical grid occurs
  • 30. 30 104 MIM TestBed Environment ● Intercept value, so operators unable to view fault ● 104's Information Objects, M_SP_TB_1 stores the 'ON/OFF' value ● First bit of the SIQ is the SPI field, storing the ON/OFF value.
  • 31. 31 ON/OFF Value Modification Before After
  • 32. 32 Conclusion ● Attackers with varying skill levels can compromise SCADA systems – Man-In-The-Middle attacks hiding an earth fault ● New implementations of ICS need to take precautions ● Monitor logs, network, everything ● Enable attack mitigations
  • 33. 33 Future Work ● Identify features of the IEC104 protocol for anomaly detection ● Propose to develop an Anomaly Detection module for the IEC104 protocol – Detect similar network attacks ● Work on MITM attack for IEC 61850