Techniques for Detecting Attacks on Critical Infrastructure - IEEE Xplore

2014 International Conference on Computing, Networking and Communications, Communications and Information Security Symposium

Techniques for Detecting Attacks on Critical Infrastructure Udaya Tupakula

Vijay Varadharajan

Advanced Cyber Security Research Centre, Department of Computing Faculty of Science, Macquarie University, Sydney, Australia {udaya.tupakula, vijay.varadharajan}@mq.edu.au

Abstract — Currently critical infrastructures such as SCADA are increasingly using commodity based hardware, software and TCP/IP protocol based communication. However the size of the current operating systems and applications are continuously increasing and it is extremely difficult task for the critical infrastructure operators for securing their systems from attacks. In this paper we propose techniques for detection of attacks on critical infrastructures and techniques for enforcing additional security policies for securing such systems.

critical infrastructures and developing security policies based on the behaviour of different entities. Section IV presents detail discussion on how attacker can exploit the weakness in the existing systems and security tools and conduct different types of attacks and how our model can deal with the attacks. Section V concludes. II.

Let us consider a simple scenario where the users in critical infrastructure are performing their tasks using their systems. As shown in Figure 1, we consider that security policies in critical infrastructure are enforced using Security Enforcement Module (SEM) [3, 4] which can be implemented on each host and/or on centralised server. For example there are several scenarios possible for the implementation of the SEM. In some cases, the user details such as login, their privileges and any specific security policies can be stored in the local database if the user is allocated a specific system. In some cases if the users can access any of system, the user details are stored in central database and dynamically transferred to the system accessed by the user. However note that even if the user details are maintained on the centralised server, to minimise overhead or bottleneck of the central server, the policies are enforced at the local system accessed by the user. Also, it is very common to use additional host host/network based security tools for detecting and preventing the attacks on the systems. In this paper we consider attacks where the vulnerabilities in user or server systems in the critical infrastructure are exploited and used for generating the attacks. We use the following terminology for easy differentiation. Security Administrator (SA) is a trusted entity within the critical infrastructure. In some cases, admin rights have to be given to employees to conduct their tasks or for temporary workers such as contractors. Admin refers to any employees who are given higher privileges to conduct their tasks. However they are not trusted at the same level as security administrator. We consider that attacks are generated by exploiting the vulnerabilities in the user and server systems or SEM. The attacks can be conducted by malicious employees or external attackers who obtain unauthorised access (eg. using social

Keywords – Critical Infrastructure, SCADA, Security policies.

I.

INTRODUCTION

Supervisory Control and Data Acquisition (SCADA) systems control many of the crucial services our modern society depends upon such as electric power distribution, water treatment, natural gas and oil pipelines, hydroelectric dams, traffic lights, train switching systems, and building controls. SCADA systems are often complex networks with multiple components. These systems may be fully automated, where all control is performed by computers, fully manual, where control is performed by human operators, or a hybrid system, where some control is performed automatically and some is performed by human operators. To perform all of these functions, many SCADA systems include one or more of the following: field interface devices, operating equipment, control computers, management computers, networked communication (local and remote), and Interconnection to business process systems. In the last few years there has been an increase within the worldwide security community consciousness of the risks related to cyber-attacks against critical infrastructures [1, 2]. Probably the strongest jolt has been caused by events such as the spread of the cyber weapon Stuxnet. This represented a historic change in the conception of military conflict: by using a malicious code, an actor in cyberspace could cause serious damages to nations. Hence there is need for security techniques for securing critical infrastructures. In this paper we propose techniques for detecting attacks in critical infrastructures. The paper is organized as follows. In Section II we consider the scenario where attacker is able to exploit the systems in critical infrastructures and generate attacks. Section III presents techniques for detecting attacks in

978-1-4799-2358-8/14/$31.00 ©2014 IEEE

ATTACK SCENARIO

48


III. SCADA Server

HMI

SEM

SEM

Historian Server

In this Section we propose techniques for detecting attacks in critical infrastructures and enforcing security policies to minimise attacks. As shown in Figure 2, our model considers that an attack detection agent (ADA) is interposed between the hardware and the server systems. One of the design choices for introducing the intermediary agent is to overcome the limitations of the existing SEM and deal with the attacks.

SEM Server

L2 or L3 Connecting Devices

OUR APPROACH

HMI

Local Station (RTU, PLC)

SCADA Server

SEM

SEM SEM

SEM

VMM1 ADA1

Security Gateway

Historian SEM VMM2 ADA2

(Str( ), Sec_ Pol( ), Sem())

(Str( ), Sec_ Pol( ), Sem())

Hardware 1

Hardware 2

L2 or L3 connecting device Remote Station N (RTU, PLC)

Remote Station 1 (RTU, PLC)

SEM

SEM

Attack Detection Server (ADS)

Figure 1. Attack scenario

SEM Server

Figure 2. Securuity architecture for critical infrastructure

engineering techniques) to the systems. For example, the employees with admin privileges can misuse their privileges to conduct other malicious tasks such as install applications that are not permitted by the policies of the critical infrastructure, maliciously use their system to capture and monitor the traffic from neighbouring systems, alter the configurations of critical components, unauthorised access of resources which are not required to perform the task but permitted by the admin privileges, generate attacks to degrade the services or cause denial of service attacks in critical infrastructures. Furthermore to complicate the tasks for SA, the attacks can be generated with spoofed identity. For example, in the case of Stuxnet, the malicious code was spread by malicious user through USB in nuclear power plants and also the code performed actions such as configuring the centrifuge devices to operate at higher speed and disabling the alarms not to report any anomalous behaviour. Hence from the above discussion we can see that on one hand it is easy for the attackers to exploit the systems in critical infrastructures and generate attacks. On the other hand it is extremely difficult for the SA to detect such attacks since there are no efficient techniques to deal with such attacks. In this paper we make the following contributions: i) Techniques for ongoing identification of attacks in the critical infrastructures. ii) Techniques for identifying additional policies for enhancing the security of critical infrastructure.

The Attack Detection Agent (ADA) logs all the interactions on the systems and detects the attacks by monitoring the system state for suspicious behaviour. The ADA has additional components and also makes use of subset security policies in SEM. For example, Str( ) is used for logging, Sec_Pol( ) is used for enforcing different security policies such as validating the runtime state and traffic of the virtual machine, and Sem( ) is used for capturing some of the existing security policies in traditional SEM (such as users login details and their roles). The ADA’s can be implemented as standalone components or as subcomponent which derives the security policies from the Attack Detection Server (ADS). For example, if the users are allocated specific systems, then the specific security policies for the user system can be stored and enforced at the local ADA. If the users can access any system within the critical infrastructure then the security policies are stored at the ADS and dynamically transferred to the ADA on the systems accessed by the users. In the current implementation we make use of the virtualisation technology to implement the ADAs. A Virtual Machine Monitor (VMM) is an additional software layer which has complete control on the physical resources and enables to run multiple operating systems on a scalable computer. Currently there is considerable interest for developing VMM based security tools [5-7]. Hence our model makes use of VMM based security for critical infrastructures. The ADA is implemented in the VMM (or privileged domain) and the user systems and server systems are implemented as virtual machines. The users will be able to access different resources based on their privileges. As shown in Figure 2, our architecture also makes use of the Security Enforcement Module (SEM)

49


applications (security tools such as SEM) these can be detected by the ADA. If the ADA notices any malicious behaviour from the virtual machine, it raises an alert to the SA. Now the logs in the ADA are analysed to determine the vulnerability exploited by the attacker. The ADA is used as additional security for securing the systems. For example, in the traditional systems, once the security policies are requested from the central server, they are locally stored in the system memory and enforced on the system. Hence if the attacker is successful in exploiting the vulnerability during runtime, he can temporarily obtain higher privileges for the current session and use the system to generate attacks. In our model, the policies from the central SEM server to the virtual systems are also captured by the ADA. Hence even if the attacker is successful in exploiting the system or SEM during runtime, this will be detected when the ADA validates the state of the system or when the compromised system is being used for generating the attacks. The ADS is also used for end to end monitoring of the interactions between the systems. This is useful for detecting the attacks if the attacker changes the configurations on remote systems. For example, ADS can request the agents at the local system and the remote system (accessed by the user) to report the behaviour.

that is used in the traditional critical infrastructures. This supports incremental deployment of new security techniques and also as an additional layer of defence. However, in our architecture SEM is used for enforcing the critical infrastructure security policies in the virtual system. SEM can make use of the existing access controls within the system and/or it can make use of additional tools (host based security tools such as antivirus, personal firewall and network based security tools) and/or it can dynamically receive the security policies from the SEM server to enforce the critical infrastructure usage policies. For example, employees can be given different privileges such as administrator, limited user or guest account for temporary visitors for accessing the systems, or employees can be categorised into different groups such as operators and network administrators. The Attack Detection Server (ADS) is used for capturing security policies from the behaviour of the systems and also for enforcing different security policies at the attack detection agents for detecting attacks and enhancing the security of the systems. A. Techniques for detecting Attacks The systems in traditional critical infrastructure network are hardened by running only the required applications, applying updates to the applications and operating systems, blocking unused ports, running security tools and keeping them updated to detect new types of attacks. However, once the attacker is successful in identifying vulnerability, all the security measures can be easily disabled and the systems can be used for generating the attacks. In our model, some of the security policies enforced by SEM are also enforced in ADA. At random intervals, the ADA validates the runtime state of the systems for suspicious behaviour. The system state is extracted by monitoring the applications or processes running in the system, monitoring the usage of resources by different processes, monitoring the runtime privileges of users accessing the system, and monitoring the traffic originating from the system. This enables our model to detect the attacks by monitoring the runtime state of the system for suspicious behaviour. For example if the process related to SEM is not found in the user or server system, then the system is considered to be suspicious. Furthermore, the traffic originating from the virtual machine is validated with signature and anomaly based policies to determine attacks. In our model the users in critical infrastructure are given only required privileges to conduct their tasks. Hence similar to traditional systems, users without admin privileges will not be able to install any new applications and have restricted access to the resources. However, if admin privileges have to be provided to some of the users, these higher privileges are valid on the user systems. Only the SA has access to the ADA. Since the ADA has physical control on the system resources, they can be used to detect if the users misuse their privileges to perform malicious activities such as unauthorised access of resources and/or using their system for generating different types of attacks that were discussed earlier. If user installs any applications (by escalating his privileges or temporary workers with admin privileges) that are not permitted according to the critical infrastructure policies or disables any of the required

B. Techniques for developing new policies The behaviour of the systems is extracted from the ADA logs and is used for developing and enforcing additional policies for detecting and preventing attacks. The ADA logs are analysed to capture the behaviour of the operating systems, applications and SEM and additional policies are developed for detecting the attacks on the user and server system. These additional policies are also applied at ADA for enhancing the security of the user and server systems. Let us consider how some of the additional security policies are developed form the behaviour of the operating systems, applications and SEM tools. For example, we have observed the default behaviour of the Windows XP machines is to check for updates at 3:00 AM everyday. Similarly we have also captured behaviour of specific processes related to security tools. For example, if Sophos is used as SEM, process such as swi_service.exe, swc_ service.exe, SAVadminservice.exe, savservice.exe are related to Sophos security tool. A process alupdate.exe is dynamically invoked every 10 minutes to check for updates from the remote server for detection of new attacks. These behaviours can be used for identifying and enforcing additional policies at ADA for enhancing the security of the user and server systems. Hence a Windows system can be considered as suspicious if it does not check for updates at 3:00 A.M. Similarly if a virtual system with sophos security tool (used as SEM) does not check for updates for every 10 minutes, then the system can be considered as suspicious. Emerging attacks such as conficker and torpig disable security tools and updates in the compromised system. Hence such attacks can be detected using these additional security policies.

50


IV.

providers and is an excellent security product. We have just used this as an example to illustrate how a malicious user to exploit current security measures to conduct attacks. Our research confirms similar attacks are also possible with other anti-virus software.

IMPLEMENTATION

In this Section we present detail analysis on how the attacker can exploit SEM to compromise systems and conduct attacks. The attacker uses staged approach (similar to Stuxnet) by using dropper (from usb or download) to check the environment and security enforced within the system such as security tools and software installed on the system, OS version and system architecture, and proceeds its installation only if some conditions are met. For instance, no security tool is installed or if the definition of security tools is outdated. In some cases, the dropper may install only a portion of its malware so as to make such malware components operate without being detected by the security tool installed on the victim system. This strategy can be thought as ``intrusion-indepth' 'in the sense that even though a malware cannot perform its full functionality due to the limitation of the target environment (e.g. target machine is protected by an anti-virus software that detects a technique used by the malware' s key logging component), it can still perform other tasks such as install itself as a driver, communicate with C&C server and install rootkit module. In other words, the malware can continue intruding the target system even if some of its parts cannot be used or fail to function. There are at least two benefits for the attacker for using staged malware. First, it allows attackers to minimise the risk of being detected by security tools. Second, it minimises the exposed portion and hides the full functionality of the malware at the early stage of intrusion. Security administrators cannot reveal the functionalities of a malware when they can obtain only a dropper or downloader, because it might not include any meaningful functionality other than installing a real malware.

The attacker runs a malware installer (first stage); the malware installer performs only the actions that are permitted under any anti-virus software' s realtime protection. In this particular example, it checks the following: OS version, Privilege of current user, Anti-virus solution installed on the system, and Version of currently active signatures and engines. If Avira is installed on the target system, the installer triggers an update; alternatively, he may just wait for an update to be started by the Avira' s scheduler service. The real time protecting services have to be restarted during some updates. Hence it is easy to compromise such tools during updates. When an update begins, the installer monitors the status of Avira’s Realtime Protection service. Once the service is deactivated during the update, the installer performs the required actions that are normally blocked or prevented by Avira’s Realtime Protection service. In this example, the installer' s ultimate goal is to replace Avira' s sqlite3.dll with a malicious one (second stage) so as to subvert both Avira and the system. It performed the following tasks:

A staged malware can even continue working by giving up some of its functionalities that can be detected by the security tool installed on the target system, if it can determine that the tool is installed and is active. Therefore, it is very important for the attacker to check the target environment to bypass any existing protection prior to extending its control over the compromised system and starting malicious activities. The initial installer may not perform anything beyond some primitive tasks, such as checking network connectivity, OS version, the list of security tools installed on the system, privilege level of current user and privilege level of itself (process). Then it decides the method for further intrusion and continues its execution, such as dropping its functional component and executing it, injecting itself or the main component into a (usually trusted) process, or giving up further intrusion if bypassing is impossible. Now we describe the attack on the file replacement to compromise the security tools running in the system. Once this can be achieved, the attacker completely controls the system. Now the attacker can use the compromised system to generate different types of attacks within the critical infrastructure or on external hosts. Recall that a staged malware is used in this scenario:

•

For privilege escalation, we dropped and executed a known exploit that is normally detected by the security tool. Notice that this local privilege escalation (e.g. from limited privileges to SYSTEM) is required only once. After this file replacement process, the malware obtains SYSTEM privilege on the target machine.

•

Unloads Avira' s filter driver that is normally protected by the service.

•

Dropped the real payload (fabricated sqlite3.dll) and replaced the original file in Avira' s installation folder with the malicious one.

The installer deletes itself as a clean-up process to erase its existence; alternatively, the payload may delete the installer. As the filter driver has been unloaded, it should be restored, even though Realtime Protection service automatically loads and attaches the filter driver when it restarts. The reason for the restoration is that the service' s restart triggered by Avira after an update proceeds to some extent and fails if the driver remains unloaded; of course, the installer can manually restart the service after the first restart by Avira fails. But still the best solution is to restore the driver, because the service restart by Avira succeeds if the filter driver is restored. Interestingly enough, even if the start of the service was triggered and failed, it is logged as successfully started in the Avira' s update log file, which is good from the attacker' s point of view. On restarting, Realtime Protection service loads the malicious sqlite3.dll which provides full SQLite functionalities, and becomes active without any problem. However, once loaded by the service, the malicious sqlite3.dll obtains

In our attack scenario, we have used the anti-virus software Avira. Note that Avira is one of the major anti-virus software

51


The attacks shown in Figure 4 will be successful in traditional critical infrastructure networks since the attacker has obtained complete control on the system and SEM. It is extremely difficult for the security administrator to determine the attacking host since the attack traffic does not have valid source address. In this case scenario, our model detects the compromise of the system during runtime state validation of the system and/or when the attacker uses the compromised system to generate attacks such as flooding the critical infrastructure network. Although the attacker is successful in compromising the system, he does not have access to the ADA. Hence such attacks can be detected with our model. With our architecture, the attacks shown in Figure 4 are not possible in the first place. Since the traffic does not have valid source address it will be blocked by the agents and an alert will be raised to the security administrator. Hence our model can efficiently detect and prevent such attacks even before the attack traffic is placed on the network medium. Furthermore, it is trivial task for the Security Administrator (SA) to detect the malicious system since the agents send an alert to the ADS and SA.

Figure 3: Security tool exploit

SYSTEM privilege on the target machine. In other words, this attack allows the malware to escalate its privilege from a user to SYSTEM, which means UAC (User Access Control) on Windows becomes ineffective. Also, almost any malicious activity becomes possible, as it is loaded and executed in the context of Avira' s Realtime Protection service. Furthermore, the DLL can perform file operations on the installation folder, even while the filter driver is loaded; this allows the attacker to update the malicious DLL. The result of this file replacement and loading operations is shown in Figure 3. The original sqlite3.dll (sqlite3_ori.dll, 389KB) has been replaced with the malicious version (sqlite3.dll, 612KB), and the fabricated DLL has been loaded by the service. Here, the original DLL was not removed to show its replacement. After becoming a part of Avira, the malware can modify Avira' s memory area to make Avira to look normal to the users (with the tray icon' s umbrella open), but totally ineffective.

V.

CONCLUSION

In this paper we have proposed techniques for detecting attacks in critical infrastructures. Our model makes use of the VMM based security as an additional layer of defence for securing critical infrastructures. We have also discussed techniques for enforcing security policies based on the behaviour of the entities. REFERENCES [1] [2]

[3] [4] [5]

[6] [7] Figure 4: Flooding with spoofed traffic

Let us consider another example scenario. Now consider that attacker is using the compromised system for generating attack traffic in the critical infrastructure. For example, LOIC attack tools can be used to generate attack traffic with TCP, UDP and HTTP get flood messages. Figure 4 shows the case scenario where the compromised system was used to the flood the network with malicious traffic with spoofed address.

52

A. Nicholson, S. Webber, S. Dyer, T. Patel, H. Janicke, "SCADA security in the light of Cyber-Warfare", Computers & Security Volume 31, Issue 4, June 2012, Pages 418–436. Bonnie Zhu, Anthony Joseph, Shankar Sastry, "A Taxonomy of Cyber Attacks on SCADA Systems", Proceedings of the IEEE International Conferences on Internet of Things, and Cyber, Physical and Social Computing, 2011 D. Ferraiolo and R. Kuhn, “Role-based access control,” In Proceedings of the 15th NIST-NCSC National Computer Security Conference, 1992, pp. 554–563. The Open Source Network Intrusion Detection System: Snort. http://www.snort.org/docs/iss-placement.pdf George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai, Peter M. Chen, “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay”, Proceedings of OSDI, 2002. T. Garfinkel and M. Rosenblum, “A virtual machine introspection based architecture for intrusion detection”, Proceedings of NDSS, February 2003. Deepa Srinivasan, Zhi Wang, Xuxian Jiang, Dongyan Xu, "Process Out-Grafting: An Efficient “Out-of-VM” Approach for Fine-Grained Process Execution Monitoring", Proceedings of 18th ACM Conference on Computer and Communications Security, Chicago, USA, Oct. 2011.