S4x16_Europe_Krotofil

Honeywell Industrial Cyber Security
Marina KrotofilS4x16 Europe
June 10, 2016
Achieving ICS Resilience and Security
through Granular Data Flow Management

© 2016 by Honeywell International Inc. All rights reserved.
1
Industrial Control System
Physical
application

Cyber-Physical security
2
After the attacker gets access to a control system/network,
the attack still needs to be performed
– This is where open literature falls short
– Best attack strategies (?)
Security standards & guidelines require “knowing your
system” prior performing risk assessment and subsequent
implementation of security controls
1
2
– No guidance on HOW to understand the system in
a away to best understand where all the risks lie
– Who should participate in risk assessment

Information as an asset
3
 Computer-integrated manufacturing (CIM)
concept in the 1970s
 The most essential constituent of modern
automation is data, and processing this
data into information is a substantial task
in automation
 The key to handling information was the
establishment of a transparent data flow
inside an automation system with a strict
subdivision of the data processing into a
hierarchical model  automation pyramid

Automation pyramid
4
Loop in
milliseconds
Loop in
seconds
http://krakenautomation.com/images/KrakenPyramid.jpg

Automation pyramid
5
Operates
on raw data
Operates on
information
http://krakenautomation.com/images/KrakenPyramid.jpg

Data processing
6
 Raw sensory data rarely can be used directly. The electrical output of
a sensing element is usually small in value and has non-idealities
such as offset, sensitivity errors, nonlinearities, noise, etc.
 Sensor signal is manipulated (processed) in a specific way to meet
the requirements of data consuming circuits/devices/applications to
produce meaningful information
 Data conditioning, conversion, aggregation, transformation,
analysis…..

Impact of data processing
7
http://www.controlglobal.com/blogs/unfettered/marina-krotofils-presentation-on-how-to-hack-a-chemical-plant-and-its-implication-
to-actual-issues-at-a-nuclear-plant/
 Two identically built nuclear plants. One had flow induced vibration
issue. And another did not.
 The vibrations indication showed itself as a resonance (high-
frequency) “noise”
 Field engineer has changed signal filtering parameter in the
signal recorder to get rid of noise
 Loss of view into vibration issue
Equipment damage at nuclear plant

Process data reliability
8
Data(BigData)Information

Use Case 1
Data Reliability in Electric Substation
(courtesy Chris Sistrunk of Mandiant)

Simplified electric substation
10
Analog control
loop
115kV Bus
34.5kV Bus
Power
Transformer
Breaker A
Line 200
Feeder 11 Feeder 12
Properly select PT and CT ratio to
allow some % of overload on the
circuit, so the measurements will
not top out at 100% when the
actual values are higher.
1200:5
Current
Transformer (CT)
1000:1
Potential
Transformer (PT)

11
Analog control
loop
115kV Bus
34.5kV Bus
Power
Transformer
Breaker A
Line 200
Feeder 11 Feeder 12
3-Element
Transducer
3Ø, Wye
+ DC -
90 MW
114 kV
468 Amps
to Relays, Panel Meter,
& SCADA RTU, HMI
Analog measurements of the line
CT
PT

Purdue model view
12
Level 5 – Enterprise Network
Level 4 – IT Apps, Outage Mgmt, Billing
DMZ – Mirror Historian, Applications
Level 3 – SCADA Historian
Level 2 – Front End, SCADA Master
Level 1 – Transducer, Meter, RTU
Level 0 – CT, PT
ySCADA = m*xLINE + b
XDUCER RTU
FEP SCADA
HIS
HIS
OMS D
a
t
a
F
l
o
w
x – initial value
m, b – scaling factor and offset for each time the data
moves from one device to another

Getting math right
13
Analog
control loop
Level 0
o MW Engineering Limit = (PT ratio) * (CT ratio) * (Transducer Multiplier) *
(Line Connection Type) = (1200/5)(1000)(1500)(1)/1000000 = 300MW
o Transducer Output Range = 0 to +/-1mA  0 – +/-300MW/mA scale
If transducer output = 0.25mA, then 0.25*300 = 90 MW
RTU must be configured correctly,
especially unipolar/bipolar and
any analog offset values as well as
logic and any other calculations
Transducers may be 0 – 1mA
or 4 – 20mA (which require
an offset b)
Level 1
o RTU Analog input card (16-bit Analog to Digital Converter) 15 bits plus +/- sign bit
-32768 to +32767 counts = -1mA to 1mA = 300MW/mA
+90 MW = .25*32767 = +8192 counts
o RTU Database = same size  90MW is stored as +8192 bits (+25% of db)
o SCADA Protocol has 12-bit bipolar analogs (-2048 to 2047 counts)
o SCADA protocol value MW = .25*2047 = 512 counts

Getting math right
14
Analog
control loop
Level 2
o +512 bipolar counts from RTU to Front End Processor on a 12-bit protocol (0 – 4095)
1 count = 300MW/2047 = 0.073242 MW per count unipolar (remember Megawatt
is a bipolar value)
o The FEP has to shift the bipolar value to a unipolar value to store it in the database!
FEP database value = 512 incoming counts + offset of 2048 = 2560 counts
o FEP database = 16 bits = 0 – 32767 counts
2560 counts / 65535 counts = 0.039063 = 3.906309%
o SCADA database = 32 bits = 0 – 4294967295 counts
3.906309% * 4294967295 = 167774307 counts
Level 3
o SCADA Historian database, etc

Conclusion
15
Analog
control loop
 You need to understand the data path and know the people
involved into data path configuration
 The described math is in reality a giant multipage excel
spreadsheet
 While linear algebra is “simple”, the addition of multiple
places to scale analog values can be difficult to calculate
– The more calculations, the more opportunity to make a
mistake and point fingers on others

Cyber-Physical hacking
16
Manipulate the
process
Prevent response
Direct Indirect
1 2
Operators Control system
(including safety)
Blind Mislead
Direct
manipulation
of actuators
Deceiving
controller/operator
about process
state Blind about
process
state
Modify
operational/safety
limits

Data stream modification scenario
17
 The most widely assumed scenario is that the attacker will
tamper with the data stream somewhere in the
communication infrastructure
– Packet replay/injection/modification/alike
– I did the same since I didn’t know better. I accidentally discovered
“Stale Data” attack
– Don't directly attack PID-controlled actuators, you’re almost
guaranteed to fail to maintain control over them
 Requires real time analysis and understanding of process data
– Hard  requirement for light-weight data processing algorithms able
to work with all kinds of strange data streams and artefacts
– Strange formatting of data
– Not always strategic enough

Data processing as attack vector
18
 Analyzing data processing points
– Often “human friendly”
– Tell you exactly how to make data out of spec
– Allow for “educated guess” and granular manipulation
 Good for
– Making data unusable; deceiving about process state
– Removing attack traces (e.g. spikes, etc.)
– Misleading forensics investigators
– Etc., etc.

 Analyzing data processing points
– Often “human friendly”
– Tell you exactly how to make data out of spec
– Allow for “educated guess” and granular manipulation
 Good for
– Making data unusable; deceiving about process state
– Removing attack traces (e.g. spikes, etc.)
– Misleading forensics investigators
– Etc., etc.
Data processing as attack vector
19
Desynchronization
of data

Hacking task: blind the controller/operator
20
 „Record-and-play-back“
o Storage requirement
 Derive process model
o Time and brain consuming
o CPU cycles requirement
 Crafting forged sensor signals as proposed by Jason Larsen
o I extensively tested this approach. It is works like magic.
But… needs to be parameterized to match signal properties;
did not perform well for few specific types of signals
 Take advantage of signal processing points

Hacking task: blind the controller/operator
21
 „Record-and-play-back“
o Storage requirement
 Derive process model
o Time and brain consuming
o CPU cycles requirement
 Crafting forged sensor signals as proposed by Jason Larsen
o I extensively tested this approach. It is works like magic.
But… needs to be parameterized to match signal properties;
did not perform well for few specific types of signals
 Take advantage of signal processing points
0 20 40 60
64
65
66
67
68
69
Time [hours]
C
Stripper Temperature
No more
oscillations!

Exploiting Analog-to-Digital Converters
(joint work with Alexander Bolshev)
Use Case 2
Black Hat Asia 2016

Threat scenario
23
Analog
control loop
Control PLC
Actuator
Safety PLC/Logger/DAQ
HMI
0V (actuator is OFF)
 It is expected that the ADCs on all devices which consume
the same analog signal will convert it into the same digital
number
– But what if not??
1.5V (actuator is ON)
Analog
control loop
http://www.slideshare.net/dark_k3y/never-trust-your-inputs-or-how-to-fool-and-adc

Experimental setup
24
Analog
control loop
“HMI Panel”
“Control PLC”
(arduino)
“Actuator”
(motor)
“Safety PLC”
(S7 1200)

Demo: Two devices, two different MVs
25
Analog
control loop
DEMO VIDEO

Never trust your inputs!
26
In ICS input validation refers to data
conten(x)t rather than to its formatting
IT and OT has common problems

Typical data flow diagram
27
https://files.sans.org/summit/icsamsterdam14/PDFs/Ralph%20Langner%20.pdf

Increase resolution!
28

Data flow of a single sensor
29
Logging, monitoring, alarm management
Control
Courtesy: B. Green, Lancaster University, UK
 Case study at a European utility

30
Attack vectors
Revealed additional attack surface

System users
31
Operator Roles ICS Level Support/Maintenance
Roles
ICS Level
Process control
Operators
2,3,4,5 Electrical Engineers 0,1,2,5
Local Process Managers 3,4,5 Mechanical Engineers 0,5
Regional Process
Managers
2,3,4,5 Control System Engineers 0,1,2,3,5
Regulatory
Monitors/Testers
2,3,4,5 Instrumentation Engineers 0,1,2,5
Performance Analysts 4,5 Telemetry Engineers 0,1,2,3,DMZ,4,5
3rd Party Contractors 0,1,2,3,DMZ,4,5 Communications Engineers 3,DMZ,4,5
Alarm Management
Centre Operator
4,5 Information Technology
Engineers
DMZ,4,5
Health and Safety
Officers
0,1,2,3,DMZ,4,5 3rd Party Contractors 0,1,2,3,DMZ,4,5
Home Workers 3,4,5 Home Workers 3,4,5

Process data consumption
32

Systemic thinking
33
 In complex systems such as ICS cause and effect are often
distant in time and space
 In OT-oriented security communication link is characterized not
only by protocol/IP address/port.
– From the process perspective, the most important communication
link property is TIME: time constant, time to impact

Conclusions
34
 To create effective anti-hacker solutions we need to take a
more granular view on ICS, especially at Levels 1-3
– Simply obtaining inventory of devices and network
architectures is insufficient
 ICS security is not purely technical problem but socio-
technical problem
– System-to-system and system-to-user interactions
 ICS security cannot be purely achieved by the traditional IT
security means
– The data can be already “insecure” when
submitted to communication infrastructure
– Engineering design of ICS and operational
process properties MATTER!!

Acknowledgements
35
 Chris Sistrunk, Mandiant
 Alexander Bolshev, IOActive
 Benjamin Green, Lancaster University

Thank You!
www.becybersecure.com
marina.krotofil@honeywell.com
Marina Krotofil

S4x16_Europe_Krotofil

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to S4x16_Europe_Krotofil

Similar to S4x16_Europe_Krotofil (20)

More from Marina Krotofil

More from Marina Krotofil (7)

S4x16_Europe_Krotofil

Editor's Notes