Successfully reported this slideshow.

Man in the middle attacks on IEC 60870-5-104

6

Share

Sep. 16, 2014
6 likes 6,743 views
Upcoming SlideShare
IEC 61850 Lessons Learned 2016 04-11
IEC 61850 Lessons Learned 2016 04-11
Loading in …3
×
1 of 34
1 of 34

Man in the middle attacks on IEC 60870-5-104

Sep. 16, 2014
6 likes 6,743 views

6

Share

Download to read offline

Technology

Man in the middle attacks on IEC 60870-5-104

http://dx.doi.org/10.14236/ewic/ics-csr2014.5

Man in the middle attacks on IEC 60870-5-104

http://dx.doi.org/10.14236/ewic/ics-csr2014.5

Technology

Recommended

More Related Content

Viewers also liked

Man in the Middle Attack on Banks
Marko Elezović
Techniques of attacking ICS systems
qqlan
Man In The Middle
Harun Tamokur
InduSoft Web Studio and DNP3
AVEVA
Practical DNP3 and Modern SCADA Systems
Living Online
IEC104规约介绍
Chen Ray
Man in The Middle Attack
Deepak Upadhyay
Heart Attack !! Survival Technique -Don’t Ever Think That You Are Not Prone T...
Sarah Jiffry
Practical IEC 61850 for Substation Automation for Engineers & Technicians
Living Online
Password sniffing
SRIMCA
Cyber Security in Substation Automation (IEC 61850)
Nikandrov Maxim
Hacking By Nirmal
NIRMAL RAJ
Willowglen Canada, Total SCADA Solutions
MikeVanderZee
MITM attack demov2
Scott Lukasek
Iec61850 primer
Leandro Frezarini
Overview Of I E C61850 Presentation..... W S M
ginquesada

Similar to Man in the middle attacks on IEC 60870-5-104

Stuxnet dc9723
Iftach Ian Amit
Industrial protocols for pentesters
Positive Hack Days
First Responders Course - Session 7 - Incident Scope Assessment [2004]
Phil Huggins FBCS CITP
Tech f43
SelectedPresentations
Vulnerabilities in Android
Birju Tank
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Joe Sylve
SyScan 2016 - Remote code execution via Java native deserialization
David Jorm
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
CODE BLUE
Drilling deeper with Veil's PowerTools
Will Schroeder
The IPv6 Snort Plugin (at DeepSec 2014)
Martin Schütte
Malware's Most Wanted: Linux and Internet of Things Malware
Cyphort
Practical analysis of the cybersecurity of European smart grids
Sergey Gordeychik
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Marco Balduzzi
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
Felipe Prado
Intrusion detection
Umesh Dhital
H@dfex 2015 malware analysis
Charles Lim
Security mgt track turner-aaron-11am-.issa-la.mobile vulns.150529
ISSA LA
Network Management (CEN166) Project Presentation By Matthew Utin
Matthew Utin, Dip.IT, BSc (Hons) 1st Class

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
On War: With linked Table of Contents Carl Von Clausewitz
(4.5/5)
Free
The Basics of Bitcoins and Blockchains: An Introduction to Cryptocurrencies and the Technology that Powers Them (Cryptography, Derivatives Investments, Futures Trading, Digital Assets, NFT) Antony Lewis
(4/5)
Free
Wizard:: The Life and Times of Nikolas Tesla Marc Seifer
(2.5/5)
Free
How to Lie with Maps, Third Edition Mark Monmonier
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free

Man in the middle attacks on IEC 60870-5-104

  1. 1. Man in the middle attacks on IEC 60870-5-104 Pete Maynard @pgmaynard ORCID 0000-0002-6267-7530
  2. 2. 2 Introduction ● Pete Maynard ● PhD Student ● CSIT Queen's University Belfast, UK ● Industrial Control System Security ● Partnership with PRECYSE
  3. 3. 3 What I do ● Attacks on SCADA protocols – Replay, MITM, DoS ● Develop detection and prevention methods ● Anomaly detection via machine learning
  4. 4. 4 PRECYSE ● European FP7 Project ● Prevention, protection and REaction to CYber attackS to critical infrastructurEs ● LINZ STROM GmbH (Electrical Distribution Operator)
  5. 5. 5 Talk Overview ● What's SCADA Used for ● SCADA Threats ● Introduction IEC 104 ● Attacking IEC 104
  6. 6. 6 What's SCADA Used for?
  7. 7. 7 How is SCADA used [1] ● MODBUS, DNP3, IEC104, 61850, Profibus … [1] S. Mohagheghi, J. Stoupis, and Z. Wang. Communication protocols and networks for power systems-current status and future trends. In Power Systems Conference and Exposition, 2009. PSCE ’09. IEEE/PES, pages 1–9, March 2009.
  8. 8. 8 What does it do? ● Telemetry control ● Change Settings ● Read/Write/Delete files and directories ● Update firmware
  9. 9. 9 SCADA Threats
  10. 10. 10 Attack Levels Level Example 1 Accident Misconfigured, Firmware Update 2 Novice Script kiddie, port scanning 3 Experienced Replay attack, basic knowledge 4 Advanced Stuxnet, ICS domain knowledge
  11. 11. 11 Threats ● Havex Malware ● OPC to scan for SCADA devices ● Reports back to command and control server ● Recently detected July 2014 – European ICS – Team Since 2011 ● State sponsored?
  12. 12. 12 Scanning for SCADA devices ● Readily available scanners – SCADA StrangeLove[1] ● Simple Python Script ● Return Device name, IP, software version [1] https://github.com/atimorin/scada-tools
  13. 13. 13 SCADA Fuzzers ● Protocol Fuzzers ● Project Robus[1] – DNP3 – Identified many vulnerabilities ● Fuzzing can kill [1] http://www.automatak.com/robus/
  14. 14. 14 Protocol Analysers
  15. 15. 15 Introduction IEC 104
  16. 16. 16 Introduction IEC 60870-5-104 ● International Electrotechnical Commission (IEC) ● IEC 60870 developed periodically between the years 1988 and 2000 ● 6 Main Parts and four companion sections ● Open Standard ● 60870-5-104 defines transmission over TCP/IP
  17. 17. 17 IEC 60870-5-104 Security Issues ● Ported from serial links to TCP/IP ● No authentication ● No encryption ● Uses IP address white-list – Defined on the slave ● TLS encryption recommended – In practice not implemented
  18. 18. 18 104 Payload ASDU
  19. 19. 19 Attacking IEC 104
  20. 20. 20 Capturing Packets ● SPAN Port ● DNS Poisoning ● Content Addressable Memory (CAM) table overflow ● ARP Spoofing
  21. 21. 21 Replay Attack ● Novice level attack ● Capture and replay packets – Command, readings, alerts... ● Replayed packets dropped by kernel ● Tcpreplay alternatives to modify SEQ values
  22. 22. 22 Man In the Middle Attack ● Intercept communications between two or more devices ● Modify and inject packets ● Many tools available – ettercap – cain and abel – DSniff
  23. 23. 23 104 MITM Lab Experiment ● Modify Cause of transmission (CoT) field ● Intercept and set an invalid CoT value ● Detection with SNORT
  24. 24. 24 Cause of Transmission ● CoT values can use the following number ranges: – 1-13 and 20-41 – 14-19 and 42-43 are reserved for future use.
  25. 25. 25 Before and After Capture Before After
  26. 26. Rule alert tcp $104_CLIENT any -> $104_SERVER $104_PORTS (flow: established; content:"|68|"; offset:0; depth:1; pcre:"/[Ss]{5}(x2D|x2E|x2F|x30|x64|x65)/iAR"; content:!"|06|"; offset: 8; depth: 1; msg:"17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field"; classtype:bad-unknown; sid:6666617; rev:1; priority:2;) 26 SNORT Alert Alert [**] [1:6666617:1] 17: SCADA_IDS: IEC 60870-5-104 – Suspicious Value of Transmission Cause Field [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/09-14:06:10.462288 10.50.50.105:40734 -> 10.50.50.75:22 TCP TTL:64 TOS:0x0 ID:60033 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9A0C38A1 Ack: 0x0 Win: 0x3908 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1382076960 0 NOP WS: 7
  27. 27. 27 Earth Fault ● Real world situation where an earth fault in the physical electrical grid occurs
  28. 28. 28 Linz Test-bed
  29. 29. 29 Operator View
  30. 30. 30 104 MIM TestBed Environment ● Intercept value, so operators unable to view fault ● 104's Information Objects, M_SP_TB_1 stores the 'ON/OFF' value ● First bit of the SIQ is the SPI field, storing the ON/OFF value.
  31. 31. 31 ON/OFF Value Modification Before After
  32. 32. 32 Conclusion ● Attackers with varying skill levels can compromise SCADA systems – Man-In-The-Middle attacks hiding an earth fault ● New implementations of ICS need to take precautions ● Monitor logs, network, everything ● Enable attack mitigations
  33. 33. 33 Future Work ● Identify features of the IEC104 protocol for anomaly detection ● Propose to develop an Anomaly Detection module for the IEC104 protocol – Detect similar network attacks ● Work on MITM attack for IEC 61850
  34. 34. 34 Questions

×