Critical Infrastructure Protection against targeted attacks on cyber-physical systems

Critical Infrastructure Protection against targeted attacks on
cyber-physical systems
Protocol behavior analysis and operational correlation detection
Author:
Enrique Martín García
Telvent Global Services
enrique.martingarcia@telvent.com
August the 25th 2015

Critical Infrastructure Protection against targeted attacks on cyber-physical systems
Protocol behavior analysis detection and operational correlation
2
Contents
Introduction.....................................................................................................................................3
Critical sector and critical infrastructure ......................................................................................4
Legal framework.............................................................................................................................................. 4
Technical characteristics.................................................................................................................................. 5
Taxonomy of attacks on cyber-physical systems ........................................................................7
Damage to equipment ...................................................................................................................................... 7
Damage to Production...................................................................................................................................... 8
Deterioration of compliance............................................................................................................................. 8
Critical Infrastructure Protection...................................................................................................9
People............................................................................................................................................................... 9
Procedures........................................................................................................................................................ 9
Technologies.................................................................................................................................................. 10
Network intrusion detection System (NIDS)............................................................................................. 11
NIDS based on deep protocol behavior inspection.................................................................................... 12
Operational Correlation ............................................................................................................................. 13
Future trends: S-IDS .................................................................................................................................. 14
Detection of cyber-physical attacks............................................................................................15
Conclusions..................................................................................................................................17
About Telvent Global Services ....................................................................................................17
Acknowledgements ......................................................................................................................17
References ....................................................................................................................................18

3
Introduction
From the Aurora [1]
experiment cyber attack on a power generator in 2007, which was intended to
demonstrate the ability to produce physical damage to assets remotely, to this day, this type of attack
has materialized twice.
The first cyber-physical attack in history recorded, documented and widely known in the field of
industrial cyber security professionals was STUXNET [2]
(2010), which marked the beginning of the
development of this discipline and most protective standards for critical infrastructure, as it
demonstrated the enormous destructive power of malware aimed at the destruction of the centrifuges
in charge of uranium enrichment that Iran would use in its production of nuclear weapons.
The second cyber attack with physical consequences occurred recently (end of 2014) in a German
steel plant [3]
, in which a cyber attack triggered after access control network from the business
network, did not allow a graceful shutdown for a blast furnace, although the details and effects
thereof have not been studied with the same detail as in the case of STUXNET.
In 2015 the interest on such attacks focus in altering the physical behavior of the environment
through cyber attacks has increased through experiments carried out on cars [4]
, medical instruments
[5]
and numerous automation devices connected to the Internet.
This technical note (White Paper) looks the higher impact (and therefore riskier) attacks on cyber-
physical systems in critical infrastructure control networks and propose protection by making some
changes on organizations structures and procedures and new technologies of intrusion detection
based on analysis behavior of control protocols and correlation of operational events.

4
Critical sector and critical infrastructure
To put into context the domain to protect from such attacks, we describe the characteristics
considered critical infrastructure in Europe and in Spain.
Legal framework
In January 2009 it came into effect Directive 2008/114 / EC of the Council of the European Union
which established the need to identify Europe's critical infrastructures in order to design strategies to
protect them.
In this Directive the need to identify infrastructure of energy and transport sectors, leaving open the
possibility that all member states identify additional critical sectors.
As of December 2014 the European Agency for Network Security and Information Agency (ENISA)
published a guide [6]
for the identification of critical assets
This guide showed critical sectors already identified by the member countries of the Union and can
be seen in the following table:

5
Spain has identified twelve critical sectors:
 Energy (With three subsectors: Electricity, Oil and Gas)
 Nuclear
 Economics (Finance and Tax Administration)
 Water
 Transportation (With three subsectors: air, sea and land)
 Food
 Information Technologies and Communications
 Chemical
 Health
 Space
 Public administration
 Investigation
In each of these sectors they have been appointed or will be appointed in the near future, a set of
Critical Operators (OC), which are those owners or operators of infrastructures which provide
essential services and whose attack could lead to damages broad sectors of the population. This set of
infrastructures will shape our domain to protect and share a number of common technical
characteristics.
Technical characteristics.
Many classified as critical infrastructure have a hybrid architecture in which there are networks of
classical information technology (IT Network) and industrial control networks (OT Network)
managing the elements that interact with the physical environment (cyber-physical systems). A basic
scheme of this type of infrastructure could be the following:

6
Cyber-physical systems control a particular process and are managed by network systems, operate
according to the following basic scheme:
The sensors measure the current process values on fixed intervals and send them to the control units
assessing the need to send orders to the actuators to assure process remains within the values for
which it was created and behave according to the original design.
Today all this traffic control has been migrating to TCP and conventional operating systems, which
has made no earlier existing attack surfaces appear.
The key characterisitics of the OT networks can be summarized as follows:
 Less devices and services than IT networks.
 They should never be directly connected to Internet.
 Execute repetitive operations between its nodes and systems.
 Very sensitive to delays or communication problems.
But these classes of networks also have strong weakness as:
 Use of unsecure or unauthenticated protocols.
 Often not segmented logically or physically.
 No possibility of installing third party software on some systems.
 No possibility of patching or update certain systems
These features and constraints make protection of such critical networks very special and, as
discussed below, using specific strategies and technologies for this type of environment.

7
Taxonomy of attacks on cyber-physical systems
Although the number and nature of cyber attacks on control systems that could have effects on the
physical environment is very broad, we will only consider those that have been studied by various
stakeholders in the industrial Cyber Security.
In particular, recent studies [7] [10]
define the following categories depending on the purpose of
physical cyber attack:
 Damage to equipment
 Damage to Production
 Deterioration of compliance
Let’s see each of them in detail:
Damage to equipment
Such cyber attacks are intended to produce permanent failures and breakdowns on industrial
equipment interacting with the physical environment. In particular, attacks have been studied on the
following elements:
 Pipes and pipelines: The valve opening and closing quickly, and sometimes coordinated, is
capable of causing a physical phenomenon called "water hammer" consisting of an increase
in pressure inside the pipe that can be higher than the structural strength thereof, causing
breakage and subsequent discharge of fluid (liquid or gas).
 Tanks: In many cases Tanks are designed to withstand very high internal pressures, but at
very low internal pressure (or vacuum), collapse. Sudden changes in the temperature inside a
tank can lead to abrupt changes in internal pressure, which could eventually collapse it.
 Generators: As demonstrated in the Aurora experiment, opening and closing off phase
switches from a generator connected to an electrical substation produce kinetic effects that
physically break it.
 Engines: Stuxnet cyber attack in the last phase tended to accelerate the engines of uranium
centrifuges for long periods of time causing material fatigue and subsequent failure.
 Chemical Reactors: The most common chemical reactions typically occur at high
temperatures, so a change in the conditions of reaction control may be associated with a
significant increase in temperature would cause thermal damage to the reactor structure,
reaching its total destruction.
It is also possible to combine two or more of these attacks each other, so that the power loss is
associated with a loss of control of some element or its inlet in an unstable operating condition.
Although we have been considering these as attacks, there are historical examples on great industrial
accidents caused by abnormal functions in control systems [12]
.
The following points will demonstrate how these detection technologies can help on detecting some
operational failures that could lead to serious industrial accidents as well.

8
Damage to Production
The purpose of this type of cyber attacks to the process is altering the financial results of the
organization that operates such processes. Among them they have been studied the following:
 Decrease the amount of final product: By changing certain variables control the process at
specific points, you can alter the amount of product obtained. A clear example of this is built
on the production of vinyl acetate monomer [7] Black Hat in Las Vegas in August 2015.
 Decrease in product purity: If the alterations made to
the process control variables do change the purity of the
final product, you can produce a significant devaluation
of the same. A concrete example is the Paracetamol,
whose purity can alter the price by several orders of
magnitude.
 Increase in operating and maintenance costs: Cyber attacks can cause alarm processes
intentionally to force recalibration of the field elements as often as desired attackers, thereby
increasing the costs of the targeted organization. Moreover, repeated attacks on processes
with different values is one of the most common practices of hiding them, because that way
the suspicions maintenance teams move the organization.
Deterioration of compliance
Legal and regulatory frameworks to be met by organizations, makes certain commitments made by
them can have very significant penalties for breach thereof. Among this kind of commitment we can
find the following:
 Safety regulations: Altering a security parameter of the industrial plant may entail a
violation of any rules of physical security which in turn is liable to a major fine if inspection.
 Impact on the environment: discharges into rivers or waste production values of certain
compounds above the permissible threshold are punished with significant financial penalties.
 Contractual breaches: The purity or quantity alteration of the product can make certain
clauses of the contracts do not meet preventing accorded billing and causing significant
economic losses to the organization.
All these cyber attacks studied in the past year, have a number of common characteristics:
 Semantic attacks: They are necessary depth knowledge of the environment, the process and
the variables to be altered to produce the desired effects.
 Targeted to the control network: Using "legitimate” users and systems, over
unauthenticated control protocols and "valid" commands, and executed with appropriate
permissions.
 Conducted by multidisciplinary teams: Composed by an IT team (Network and Systems),
an OT team (SCADA) and process engineers (of the attacked sector)

9
In view of the nature of cyber-physical and processes attacks, and the above on the technical
characteristics of the control networks, critical infrastructure protection presents a number of
problems that can only be addressed using the solutions that describe the next point.
It might seem that this type of attack is too complicated or exceptional to take into account in our
risk analysis, but do not forget that:
1. They are targeted attacks intended to cause physical damage and could be executed or
sponsored by state organizations.
2. Already materialized before and were not mere theoretical laboratory studies.
3. In both cases the cyber attack had an external source to the facilities attacked even when
isolated from the Internet is assumed. (The average number of connections found in control
networks assessment is 11 [11]
)
4. The success of these attacks could endanger human lives.
5. The PIC 8/2011 of Critical Infrastructure Protection Act explicitly mentions the need to
consider in the risk assessment of this type of infrastructure events of very high impact, such
as the case of these attacks.
Another common thinking when suppressing these cyber-physical attacks from risk analysis could be
considering them covered by safety plans. As showed in the Mogford [13]
report after the Texas City
refinery accident, there was a lack of preventative maintenance on safety critical systems. So once
again, we can not relay on initial conditions to establish the actual security state of infrastructure, we
need to assess it on a periodic basis.
Critical Infrastructure Protection
Cyber security is founded on three pillars: people, procedures and technologies. In this case it cannot
be otherwise, so these sections formulate a series of recommendations to protect such infrastructure
from cyber-physical attacks seen before.
People
As we saw earlier in this note such cyber attacks can only materialize through joint action of experts
in different fields (IT Technology, OT technology and Industrial process to attack). It is necessary
for critical infrastructure have multidisciplinary teams in their Cyber Security organizations
working in a coordinated way in order to protect them.
This is one of the most common problems encountered in implementing the CIP law because the
existing inertia in many organizations the world of control and security have always been in
different functional areas and with different officials and budgets.
The awareness of senior management of the infrastructure operator is required to make critical
changes needed in the functional organizations to ensure a unique multidisciplinary team responsible
for this Cyber Security.
Procedures
It is a priority to establish changes in the procurement procedures of the critical infrastructure
operators requiring the inclusion of Cyber security requirements for solutions in automation and
control, just as there are for safety on plants. Deploying controls and countermeasures in the control
networks without this approach in design will be much more difficult and expensive

10
Given the semantic nature of these attacks is necessary expand risk analysis for contemplating
processes attacks. As seen above this is only possible with the participation of process control
engineers in this activity where Cyber security and safety come to converge. (Hazard / Risk
Analysis).
Technologies
For everything mentioned above, the security measures to be taken in such environments must take
into account the importance of availability in such control networks. Any measure to be implemented
should be as safe as possible in terms of the impact on the process to protect. According to the
Department of Industrial CERT Homeland Security, the impact of the various protection
technologies to consider when deploying in such networks is as follows:
As can be seen, intrusion detection systems are the technology with less impact on industrial control
networks.
Within this technology, and considering the significant limitations that exist for installing third party
software on the control systems (SCADA Servers, engineering work stations and operating positions
or HMI) is indicated selecting NIDS technology (network Intrusion Detection System) since
modification of the existing network architecture or reconfiguring any of the systems won’t be
necessary.

11
Network intrusion detection System (NIDS)
According to the taxonomy of intrusion detection systems defined by Debar and its working group [8]
,
the most suitable System is shown in the following figure:
The detection method should not be based on signatures since it should be frequently updated and it
does not offer protection against 0-day vulnerabilities, making detection behavior as the most
appropriate choice.
The behavior detection should be passive to be as non-intrusive as possible in the network and not
interfere with the commands and actions that are exchanged over the network.
Given the importance of the transitions have been in the control of industrial processes, the NIDS
should consider this type of paradigm, and finally should be monitored continuously since these
networks are operating in 24x7x365 basis.
Regarding detection technology for behavioral anomalies, there are several alternatives: inspection
message headers (headers) detection, inspection message payload (Payload) detection or a
combination of both. In the present note we will use the last option as it is the only one capable of
detecting this type of semantic attacks and is used by the deep protocol behavior inspection
technology we propose as network intrusion detection in critical infrastructure.

12
NIDS based on deep protocol behavior inspection
Once selected detection technology we will explain how to implement it in such environments. Since
its operation is based on detecting events that differ from the normal behavior (anomalies), we must
first build the pattern (behavioral blueprint).
The construction of this pattern can be performed on a specific-based manner (introducing the
topological and operational information network) or unattended using learning-based technology. The
first option is rarely useful as the knowledge of low-level details in the implementation of control
networks organizations own is in many cases dating back to the FAT (Factory Acceptance Test) or
the SAT (Site Acceptance Test), so usually very old information being outdated and not maintained
systematically through change management procedures in line with best practices.
Selecting unattended construction method by learning, we must remember that it is very important
that this normal behavior pattern is built in an environment as similar as possible to the production
environment on which detecting anomalous behavior is performed.
The scheme of operation of this type of intrusion detection sensors is as follows:
Although learning is automatic it must
always be adjusted by control
engineers who are familiar with the
process to eliminate any undesired
operation generated by unscheduled
interventions once verified by the
control personnel. Additionally, in the
phase detection such events should be
able to be included in the pattern of
behavior (Blueprint) to avoid
unwanted alerts (false positives).
The behavioral blueprint obtained after the learning and customization phase includes the following
elements:
Control Network Communication profile
At this time the NIDS knows every possible tuple in the control network (traffic matrix):
Src IP,Src Port -> Dest. IP,Dest Port
From this moment, we can be alerted by:
• New devices on the network
• Devices trying to connect to our network that are not in our Model
• Devices sending information out of our network to devices out of the model.

13
Protocols, messages and values matrix
In order to detect advanced operation issues or attack to processes we need to use the technology of
deep protocol behavior inspection (DPBI), since with this we will know:
 The control protocols operating in the network
 Messages that are used within each protocol
 The distribution of values within each message field of actual network control protocols.
All this information must be organized in a logical manner in order to obtain the pattern of behavior
which subsequently compares all messages obtained from the network. The DPBI NIDS is
responsible for generating this model during the learning phase using its advanced technology on
behavior modelling.
From this point we can start the detection phase and be alerted of any communication diverge from
the newly built behavioral blueprint.
Operational Correlation
Despite the power detection technology DPBI control environments, we need to be able to generate
alerts to detect cyber attacks on physical process (operations that are within the behavior pattern and
executed from the control network stations also found in the pattern.).
A clear example of this would be a kind Aurora attack and run from a SCADA server to transmit
orders for opening and closing of switches out of phase to a remote unit (RTU) in a substation, using
the IEC 104 protocol.
To detect this cyber attack, we should be able to store all IEC 104 opening and closing aimed at RTU
we found in the control network and estimate the time difference on the immediately preceding
command sent to the RTU messages.
To do this the network intrusion detector DPBI also be able to provide the functionality described
above. (Operational correlation).
In the case of the NIDS DPBI solution for SCADA SCAB (Security Awareness Control Box for
SCADA), this correlation is implemented by deploying additional logic (script type program) that
makes this correlation.
An example of a function of this script is as follows:
function new_connection_data(conn, data, is_upstream)
local record = find_flow(conn)
if record ~= nil then
record.up_bytes = conn:upstream_num_bytes()
record.down_bytes = conn:downstream_num_bytes()
record.up_pkts = conn:upstream_num_pkts()
record.down_pkts = conn:downstream_num_pkts()
record.payload_up_bytes = conn:upstream_num_payload_bytes()
record.payload_down_bytes = conn:downstream_num_payload_bytes()
end
end

14
Future trends: S-IDS
The combination of detection technology based on control protocol behavioral anomalies, together
with the operational correlation allows us to detect cyber-physical attacks on critical infrastructure
processes, yet are somewhat craft in regard to the implementation operational and temporal
correlations.
To solve this problem it is being investigated in new detection technologies that includes this
information in the behavioral pattern automatically.
One of this technology is called Sequence-aware Intrusion Detection System [9]
and raises a number of
novel approaches in generating a behavior pattern, such as control of the order in which messages are
sent and received to the Control elements from the servers, the time between state transitions and
sending messages and standard deviation of the time.
The block architecture of a system of this type would be:
In the learning phase information from sources model input (control network protocols messages, log
file entries and values of the commands of the process) would be collected and would feed the
sequencer to maintain timing trace, before passing to process model generator.
As in the case of NIDS DPBI based, once the learning phase is finished would enter in detection
mode. First experimental results for SCADA Waters sector have been achieved and work is in
progress to decrease false positive rate (FPR) and noise reduction for the detection phase.
This is just one of today research paths on intrusion detection for industrial control system, but still is
under development and validation.

15
Detection of cyber-physical attacks
All cyber-physical attacks exposed earlier in this technical note can be detected using a combination
of technologies in network intrusion detection as deep protocol behavior inspection (DPBI) and
operational correlation.
 Aurora Attack type: After creating the DPBI pattern of normal behavior for the control
network, a script that would monitor the sequence of write commands received by the RTUs
in an arbitrary period of time (seconds or milliseconds) would be deployed. In the event that
an order of writing CLOSE was sent to a given RTU with a previous OPEN value received, at
a lower time than the allowed time interval (0.2s), we would fire an alert.
Figure 1: Transition state minimal time period
 Water hammer / discharges Attack Type: Assuming a scenario of progressive control as in
Figure 2, would only be possible to reach the completely closed (or open) state for the valve from
a previous state with V = 30.
Figure 2: States and transitions diagram
Any value sent in a write command to the PLC control valves would be compared to the last
write value sent. If the difference between the value of writing command and the immediately
preceding received exceeded the maximum increase in programmed control (∆V = 10), an
alert would skyrocket.
Additionally, all values in a command not included in the behavioral blueprint would trigger
an alert. (Eg V> 40)

16
Remarkably, the importance of the anomaly differs depending on the detected transition and a
criticality hierarchy may be established. In the example of Figure 2, the abnormal transition
E3 -> E5 trigger an alert warning, while the transition anomaly E1 -> E5 trigger a critical alert.
 Alteration of the amount of production (vinyl acetate monomer): Any value received in the
write message on the PLC that controls the temperature of the reactor outside the distribution
of values of the behavior blueprint would trigger an alert.
 Attack by temperature to chemical reactors: As in the case of water hammer, any write
command sent to the PLC progressive temperature control would be compared with the
immediately preceding. If the difference between the value of writing and the immediately
preceding received exceed the maximum temperature defined threshold, an alert would be sent
 Fake maintenance: Send commands to the control elements in order to conceal attacks on
process never would have formed part of the original behavior pattern built for the network, so
any transmission of those would trigger an immediate alert.
We can summarize this in the following table:
It is important to note that the semantics needed to detect these attacks through additional
programming logic comes from the deep knowledge of the processes controls and possible
weaknesses of them. Based solely on deep protocol inspection (DPI) systems could not detect such
attacks and it is necessary to use both DPBI and Operational correlation to detect them all.
There is another very powerful implementation of the operational correlation in detecting how
allowed control operations (nodes, protocols and distribution of values) are executed on specific
time frames. (A firmware update of a PLC or RTU can be normal within one business day and
exceptional if done on weekends or at night).
Physical Attack DPI DPBI Op. Correlation
Water hammer
Aurora Attack
Engines
Chemical reactors
Quantity decrease
Purity alteration
Fake maintenance
Waste disposal
Detection Technology

17
Conclusions
The new attacks on the cyber-physical systems of industrial processes running on critical
infrastructure, require the adoption of new strategies capable of detecting without interfering with
normal operation.
The change in the functional structures (common Managers and multidisciplinary teams) and the
procedures at critical infrastructure operators (Risk Analysis and procurement requirements), it is
imperative to address this kind of physical attacks.
The only technology capable of detecting attacks from within the control network using protocols,
messages and values allowed within the same, but in order or frequency other than normal is the use
of intrusion detection systems that support the deep protocol behavior inspection (DPBI) with the
ability to implement correlation of operational events.
The implementation of these technologies in critical infrastructures control networks should be
considered seriously by those responsible for the cyber security of these facilities and the authorities
responsible for monitoring compliance with the PIC 8 / 2011 Act.
In the future, Sequence-aware NIDS (S-NIDS), or similar technologies, may help simplify the
implementation of these systems in control networks significantly improving the behavior pattern
generation and subsequent maintenance, protecting processes and cyber-physical systems on critical
infrastructures.
About Telvent Global Services
Telvent Global Services (Telvent) is a leading IT / OT highly specialized in critical infrastructure
management services for information and operational technologies that offers integrated solutions in
consulting, integration and outsourcing to throughout its lifecycle . We pursue our mission to simplify
complex technology with a range of services that responds to the needs of management and operation
of infrastructure and IT and OT systems to accompany the business performance of our customers.
Acknowledgements
To Daniel Trivelatto, Emmanuele Zambon and Damiano Bolzoni for their helpful insights and
support.

18
References
[1] Aurora Generator Test - http://edition.cnn.com/2007/US/09/26/power.at.risk/
[2] “To Kill a Centrifuge” – Ralph Langner - http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-
a-centrifuge.pdf
[3] German steel plant Cyber Attack - http://www.wired.com/wp-
content/uploads/2015/01/Lagebericht2014.pdf
[4] “Chrysler recalls 1.4M vehicles after Jeep hack
http://www.computerworld.com/article/2952186/mobile-security/chrysler-recalls-14m-vehicles-after-jeep-
hack.html
[5] “Hospira LifeCare PCA Infusion System Vulnerabilities” – ICS CERT - https://ics-cert.us-
cert.gov/advisories/ICSA-15-125-01B
[6] “Methodologies for the identification of Critical Information Infrastructure assets and services”. – ENISA-
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/Methodologies-
for-identification-of-ciis
[7] “Hacking chemical plants for competition and extortion” – Marina Krotofil -
https://www.blackhat.com/docs/us-15/materials/us-15-Krotofil-Rocking-The-Pocket-Book-Hacking-Chemical-
Plant-For-Competition-And-Extortion-wp.pdf
[8] “Towards a Taxonomy of Intrusion Detection Systems and Attacks” - Malicious- and Accidental-Fault
Tolerance for Internet Applications (MAFTIA) - http://maftia.cs.ncl.ac.uk/deliverables/D3.pdf
[9] “Sequence-aware Intrusion Detection in Industrial Control Systems” – Marco Caselli, Emmanuele Zambon
and Frank Kargl - http://dl.acm.org/citation.cfm?id=2732200
[10] “REMOTE PHYSICAL DAMAGE 101 - BREAD AND BUTTER ATTACKS” – Jason Larsen -
https://www.blackhat.com/docs/us-15/materials/us-15-Larsen-Remote-Physical-Damage-101-Bread-And-
Butter-Attacks.pdf
[11] “Five myths of industrial control system security” – David Emm - http://www.scmagazineuk.com/five-
myths-of-industrial-control-system-security/article/431387/
[12] “Texas City Refinery explosion“ - https://en.wikipedia.org/wiki/Texas_City_Refinery_explosion
[13] “FATAL ACCIDENT INVESTIGATION REPORT - Isomerization Unit Explosion - Interim Report -
Texas City, Texas, USA “ John Mogford –
http://www.rootcauselive.com/Files/Past%20Investigations/BP%20Explosion/texas_city_investigation_report.
pdf

Critical Infrastructure Protection against targeted attacks on cyber-physical systems

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Critical Infrastructure Protection against targeted attacks on cyber-physical systems

Similar to Critical Infrastructure Protection against targeted attacks on cyber-physical systems (20)

Recently uploaded

Recently uploaded (20)

Critical Infrastructure Protection against targeted attacks on cyber-physical systems