Top

Published in:

2019 | OriginalPaper | Chapter

Multi-range Decoy I/O Defense of Electrical Substations Against Industrial Control System Malware

Author : Julian L. Rrushi

Published in: Resilience of Cyber-Physical Systems

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Industrial control system malware campaigns, such as BlackEnergy and Dragonfly, targeted electrical substations at various ranges relative to the computers that pushed the attacks into substation relays after being infected. Worm-like propagation of industrial control system malware in the Internet traverses paths along computers that may be far from their target, and that often are completely unrelated to power grid functions. Industrial control system malware hop from computer to computer until landing on one that has access to a target industrial environment. Industrial control system malware enabled by spear-phishing or website redirection attacks exploit web browser vulnerabilities coupled with human factors of energy company personnel. Watering hole attacks cause the installation of industrial control system malware on the computers of power grid operators, and sometimes even on the protective relays of an electrical substation. In this chapter we present a line of work that creates and operates industrial mirages, i.e., phantom substation targets for industrial control system malware to pursue, to intercept such malware bound for the power grid. The discussion focuses on decoy I/O. We also generally describe other key elements of industrial mirage at large, and explain how decoy I/O and those elements work together as integral components of the industrial mirage capability. Industrial mirage is able to actively redirect industrial control system malware to decoys, and can sustain prolonged interaction with such malware. We validated this line of work against numerous malware samples involved in recent industrial control system malware campaigns.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter A Model-Driven and Generative Approach to Holistic Security

next chapter Flood Resilience of a Water Distribution System

ICS-CERT: Cyber-attack against Ukrainian critical infrastructure. Available online at https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01

Lee RM, Assante J, Conway T (2016) Analysis of the cyber attack on the Ukrainian power grid. Defense use case white paper. Available online at https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

Symantec (2014) Dragonfly: cyberespionage attacks against energy suppliers. Available online at https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf

Lezi S (2014) Scanderbeg, the hero of Europe. CreateSpace Independent Publishing Platform, Scotts Valley

Falliere N, Murchu LO, Chien E (2011) W32.Stuxnet Dossier. Symantec security response, version 1.4. Available online at http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Siemens: What properties, advantages and special features does the S7 protocol offer? Available online at https://support.industry.siemens.com/cs/document/26483647/what-properties-advantages-and-special-features-does-the-s7-protocol/-offer-?dti=0&lc=en-WW

Homan J, McBride S, Caldwell R (2016) IronGate ICS malware – Nothing to see here…Masking malicious activity on SCADA systems. FireEye threat research Blog. Available online at https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html

Buza DI, Juhasz F, Miru G, Felegyhazi M, Holczer T (2014) CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot. Smart grid security, vol 8448. Springer, Berlin, pp 181–192

Rist L, Vestergaard J, Haslinger D, De Pasquale A, Smith J, CONPOT ICS/SCADA honeypot. Available online at http://conpot.org

10.

Vollmer T, Manic M (2014) Cyber-physical system security with deceptive virtual hosts for industrial control networks. IEEE Trans Ind Inf 10(2):1337–1347CrossRef

11.

International Electrotechnical Commission (2004) IEC 61850 – Communication Networks and Systems in Substations, parts 1 through 9

12.

Rrushi J (2011) An exploration of defensive deception in industrial communication networks. Int J Crit Infrastruct Prot 4(1):66–75CrossRef

13.

Rrushi J (2016) NIC displays to thwart malware attacks mounted from within the OS. J Comput Secur 61(C):59–71CrossRef

14.

Simms S, Maxwell M, Johnson S, Rrushi J (2017) Keylogger detection using a decoy keyboard. In: Proceedings of the 31st Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Philadelphia. Springer, ChamCrossRef

15.

Rrushi J, DNIC architectural developments for 0-Knowledge detection of OPC malware. Currently in the second round of review at IEEE Trans Dependable Secure Comput

16.

Lange J, Iwanitz F, Burke T (2010) OPC – from data access to unified architecture, 4th edn. VDE Verlag GmbH, Berlin

17.

International Organization for Standardization, Technical Committee 184: manufacturing message specification. Available online at https://www.iso.org

18.

RTDS Technologies: real time digital power simulator. Available online at https://www.rtds.com

19.

Strogatz SH (2014) Nonlinear dynamics and chaos – with applications to physics, biology, chemistry, and engineering, 2nd edn. Westview Press, BoulderMATH

20.

Ott E (2002) Chaos in dynamical systems, 2nd edn. Cambridge University Press, CambridgeCrossRef

21.

Ott E, Grebogi C, Yorke JA (1990) Controlling chaos. Phys Rev Lett 64(1196):1196–1199MathSciNetCrossRef

22.

Romeiras F, Grebogi C, Ott E, Dayawansa WP (1992) Controlling chaotic dynamical systems. Phys D 58(165):165–192MathSciNetCrossRef

23.

Searcy W, Nowicki S (2005) The evolution of animal communication – reliability and deception in signaling systems. Princeton University Press, Princeton

24.

Goldberg DE (1989) Genetic algorithms in search, optimization and machine learning. Kluwer Academic Publishers, BostonMATH

25.

Brogan WL (1990) Modern control theory, 3rd edn. Prentice-Hall, Upper Saddle RiverMATH

26.

Simon D (2006) Optimal state estimation – Kalman H infinity, and nonlinear approaches, 1st edn. Wiley-Interscience, HobokenCrossRef

27.

Fridrich J (2009) Steganography in digital media – principles, algorithms, and applications, 1st edn. Cambridge University Press, CambridgeCrossRef

28.

The Apache Software Foundation: Apache Hadoop. Available online at http://hadoop.apache.org

29.

The Apache Software Foundation: MapReduce. Available online at https://hadoop.apache.org/docs/r1.2.1/mapred_tutorial.html

30.

Lie D, Thekkath CA, Mitchell M, Lincoln P, Boneh D, Mitchell JC, Horowitz M (2000) Architectural support for copy and tamper resistant software. In: Architectural Support for Programming Languages and Operating Systems (ASPLOS IX). ACM, New York, pp 168–177

31.

Chen B, Morris R (2003) Certifying program execution with secure processors. In: Proceedings of the Usenix Workshop on Hot Topics in Operating Systems. Lihue, Hawaii

32.

DNP Technical committee: distributed network protocol. Available online at https://www.dnp.org

Title: Multi-range Decoy I/O Defense of Electrical Substations Against Industrial Control System Malware
Author: Julian L. Rrushi
Publisher: Springer International Publishing
Book: Resilience of Cyber-Physical Systems
Print ISBN: 978-3-319-95596-4

Electronic ISBN: 978-3-319-95597-1

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-319-95597-1_7

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner