Module 3Module 3
Cyber-Physical SecurityCyber-Physical Security
Kentucky Industrial Assessment CenterKentucky Industrial Assessment Center
Cybersecurity ModuleCybersecurity Module
Acknowledgement: Some of the lecture slides in this module are based on slides provided by N-Dimension,Information Systems Security Association (ISSA), Dr. Stefan Luders from CERN and Dr. Himanshu Thapliyal fromUniversity of Kentucky.
Cyber-Physical SecurityCyber-Physical Security
Two questions:Two questions:
How does physical devices impact cybersecurity?How does physical devices impact cybersecurity?
Vulnerability of Internet-Of-ThingsVulnerability of Internet-Of-Things
Hardware vulnerability: side channel attacksHardware vulnerability: side channel attacks
How does cyberattacks impact physical security?How does cyberattacks impact physical security?
Security of cyber-connected Industrial Control System (ICS)Security of cyber-connected Industrial Control System (ICS)
2
How does physical devices impactcybersecurity?How does physical devices impactcybersecurity?
3
New Trend in DDoS AttacksNew Trend in DDoS Attacks
Abusable IoT Devices
Ease of Attack
Verisign DDoS Trends Report Q2 2016
256 Gpbs Peak attack size
IoT Botnet Activity Q3&4 2016
1200 Gpbs Peak attack size
Mirai BotnetMirai Botnet
September 20th 2016:
Mirai used to attack website ofSecurity journalist Brian Krebswith 620Gbps DDoS attack
September 23rd 2016:
Mirai botnet used to attackOVH web hosting companywith 1Tbps DDoS attack
October 21st 2016:
Mirai botnet used to attackDYN DNS provider with 1.2Tbps attack
Impacted sites include but arenot limited to: PayPal, Twitter,Reddit, GitHub, Amazon,Netflix, Spotify
A floating population of approximately 500,000 compromised IoTdevices worldwide (Internet-enabled digital video recorders(DVRs), surveillance cameras).
Relatively high concentrations of Mirai nodes have beenobserved in Asia, Brazil, North America and Europe.
IoT Botnet DDoS (Mirai)IoT Botnet DDoS (Mirai)
Default user name andpasswords beingenabled on devices andopen ports in firewalls(Telnet TCP 23/2323).
Continuous, automatedscanning by othercompromised Miraibotnet IoT devices.
Rebooting the deviceremoves the malwarerunning in memory, butits estimated that it willtake less than 10 min tobe rescanned andbecome part of botnetagain.
Side-channel analysis attacksSide-channel analysis attacks
Side-channel analysis attack takes advantage ofimplementation-specific characteristics of cryptographicalgorithmSide-channel analysis attack takes advantage ofimplementation-specific characteristics of cryptographicalgorithm
7
http://www.technologynewsextra.com/wp-content/uploads/2017/03/Smart-Card-Market.png
http://citibusinessnews.com/wp-content/uploads/2016/06/smartphones.png
https://www.verizonwireless.com/archive/mobile-living/wp-content/uploads/2015/12/4498-MLAQ-3-surprising-ways-to-use-wearable-technology-hero-desktop-con-768x432-main.png
https://d2qxwxxauf5yxr.cloudfront.net/images/homepage/hero/earthday-promotion/enUS/background-2-1178590652.png
https://www.ovoenergy.com/binaries/content/gallery/ovowebsitessuite/images/landing-pages/paygplus/smart-meter.png
Side-channelsSide-channels
If physical and/or electrical effects unintentionally deliverinformation about the key, then side-channel informationis delivered and are called side-channels.If physical and/or electrical effects unintentionally deliverinformation about the key, then side-channel informationis delivered and are called side-channels.
Four groups according to side-channel information beingexploited:Four groups according to side-channel information beingexploited:
Timing attacks (TA)Timing attacks (TA)
Power attacks (PA)Power attacks (PA)
Electromagnetic attacks (EMA)Electromagnetic attacks (EMA)
Acoustic (sound) analysisAcoustic (sound) analysis
8
RSA Conditional BranchRSA Conditional Branch
9
Smart Meter PrivacySmart Meter Privacy
Easy to deduce patterns ofhome activity from highfrequency metering dataEasy to deduce patterns ofhome activity from highfrequency metering data
Which devices you ownand useWhich devices you ownand use
When you use themWhen you use them
When you are at homeWhen you are at home
Lifestyle routinesLifestyle routines
Personalizedservices/offers, e.g. adsdepending on exposedprivate data …Personalizedservices/offers, e.g. adsdepending on exposedprivate data …
10
Data usage threats against customer privacyData usage threats against customer privacy
Hardware Counterfit ProblemHardware Counterfit Problem
Hondata s300, a plug-in modulefor the engine computer thatreads data from sensors inHonda cars and automaticallyadjusts the air-fuel mixture, idlespeed, and other factors toimprove performance.
One of these is fake, but whichone?
11
img of fake chip
img of real chip
PUF-Based SecurityPUF-Based Security
Physical Unclonable Function (PUF) [Gassend et al 2002]Physical Unclonable Function (PUF) [Gassend et al 2002]
PUF Security is based onPUF Security is based on
wire delayswire delays
gate delaysgate delays
quantum mechanical fluctuationsquantum mechanical fluctuations
PUF characteristicsPUF characteristics
uniquenessuniqueness
reliabilityreliability
unpredictabilityunpredictability
PUF AssumptionsPUF Assumptions
Infeasible to accurately model PUFInfeasible to accurately model PUF
Pair-wise PUF output-collision probability is constantPair-wise PUF output-collision probability is constant
Physical tampering will modify PUFPhysical tampering will modify PUF
http://davesource.com/Projects/DEStiny/chip.gif
Hardware AuthenticationHardware Authentication
r is the one-time random number as challenge
Hash(PUF(C),r) is used because
Computable on both sides
Eavesdropper cannot invert to find PUF(C)
Robust against replay attack
301553_2
pic-rfid-1
Hash(PUF(C), r)
nonce, r
Circuit C
Database
PUF(C) ...
How does cyberattacks impactphysical security?How does cyberattacks impactphysical security?
14
Physical System
Sensor
Control System
Actuator
y
u: input
x: state
Estimation and control
A Control SystemA Control System
thermostat
newFurnaceB
airconditioner
http://assets.inhabitat.com/wp-content/blogs.dir/1/files/2014/03/Winter-Summer-Graphic-537x225.jpg
ZE_29000004055
Industrial Control Systems (ICS)Industrial Control Systems (ICS)
Supervisory Control And DataAcquisition (SCADA)
Automation
Process ControlSystems (PCS)
Distributed ControlSystems (DCS)
17
SCADA systemsSCADA systems
Human-Machine Interfaces (HMI)
(Touch screens or panel with buttons for people)
Programmable Logic Controllers (PLC)
(watching system and making routine decisions)
Remote Terminal Units (RTU)
(reading sensors and controlling valves and switches)
Sensors – Valves - Switches
(reading sensors and
controlling valves and switches)
Intelligent Electronic Device (IED)
microprocessor-based controllers of power system equipment,such as circuit breakers, transformers and capacitor banks.
https://upload.wikimedia.org/wikipedia/commons/c/c2/Protective_relay.jpg
 
 
 
 
Third Party
Controllers,
Servers, etc.
Serial, OPC
or Fieldbus
Engineering
Workplace
 
Device Network
Firewall
 
 
Services
Network
Third PartyApplicationServer
Application
Server
Historian
Server
Workplaces
Enterprise
OptimizationSuite
MobileOperator
Connectivity
Server
Control
Network
Redundant
Enterprise Network
Serial
RS485
Modern ICS TrendsModern ICS Trends
IP
Internet
EnterpriseNetwork
19
Myth #1
ICS cyber incidents haven’t damaged criticalinfrastructure
In 2015, ~ 400 incidents world-wide
Most unintentional
Some malicious attacks
Impacts range from trivial to majoroutages to equipment damage todeaths
florida_power_0226
Stuxnet attack onIran’s Nuclear PlantStuxnet attack onIran’s Nuclear Plant
20
The Workings of Stuxnet (I)The Workings of Stuxnet (I)
An infected USB stick was infiltratedinto the plant either by malicious actor through social engineering.An infected USB stick was infiltratedinto the plant either by malicious actor through social engineering.
Once inserted into a Windows PC, the sticktried to compromise the OS with up toa virus called VirusBlokAda.Once inserted into a Windows PC, the sticktried to compromise the OS with up toa virus called VirusBlokAda.
There were 4-5 evolutions starting 6/2009.There were 4-5 evolutions starting 6/2009.
Infected 100,000 PCs (60% Iran,10%Indonesia).Infected 100,000 PCs (60% Iran,10%Indonesia).
Using “rootkit” technologies and twostolen certificates from Taiwan, it hid frombeing detected.Using “rootkit” technologies and twostolen certificates from Taiwan, it hid frombeing detected.
It tried to infect other hosts andestablish a P2P connection “home”.It tried to infect other hosts andestablish a P2P connection “home”.
http://us.cdn4.123rf.com/168nwm/monner/monner0903/monner090300013.jpg
\\cern.ch\dfs\Users\s\slueders\Desktop\warning-bio-hazard-md.png
\\cern.ch\dfs\Users\s\slueders\Desktop\warning-bio-hazard-md.png
\\cern.ch\dfs\Users\s\slueders\Desktop\warning-bio-hazard-md.png
So far, nothing new:
A standard,but expensive virus!
The Workings of Stuxnet (II)The Workings of Stuxnet (II)
Stuxnet then checked the local registrylooking for the presence of SiemensPCS7/STEP7/WINCC SCADA software.Stuxnet then checked the local registrylooking for the presence of SiemensPCS7/STEP7/WINCC SCADA software.
If so, it copied itself into the localSTEP7 project folder (to propagatefurther).If so, it copied itself into the localSTEP7 project folder (to propagatefurther).
It replaced the STEP7 communicationlibraries (DLLs) used for exchangingdata with a PLC.It replaced the STEP7 communicationlibraries (DLLs) used for exchangingdata with a PLC.
Stuxnet can now manipulate values tobe sent to the PLC or displayed by theSCADA.Stuxnet can now manipulate values tobe sent to the PLC or displayed by theSCADA.
If not, Stuxnet got idle and would expireon 2012.If not, Stuxnet got idle and would expireon 2012.
Stuxnet is now the“Man in the Middle”controlling the communicationbetween SCADA & PLC.
File:Step7 communicating with plc.svg
File:Stuxnet modifying plc.svg
The Workings of Stuxnet (III)The Workings of Stuxnet (III)
Next, Stuxnet was“fingerprinting” connected  PLCs.Next, Stuxnet was“fingerprinting” connected  PLCs.
If right PLC configuration, itdownloaded/replaced codebetween 17 and 32 FBs & DBs.If right PLC configuration, itdownloaded/replaced codebetween 17 and 32 FBs & DBs.
http://us.cdn4.123rf.com/168nwm/monner/monner0903/monner090300013.jpg
\\cern.ch\dfs\Users\s\slueders\Desktop\warning-bio-hazard-md.png
\\cern.ch\dfs\Users\s\slueders\Desktop\warning-bio-hazard-md.png
\\cern.ch\dfs\Users\s\slueders\Desktop\warning-bio-hazard-md.png
\\cern.ch\dfs\Users\s\slueders\Desktop\warning-bio-hazard-md.png
\\cern.ch\dfs\Users\s\slueders\Desktop\warning-bio-hazard-md.png
\\cern.ch\dfs\Users\s\slueders\Desktop\warning-bio-hazard-md.png
http://shop.artwelove.com/_img/_mngd/product/249-artwork-focus.jpg
The “Man in the Middle”made everything looked fine atthe SCADA level…
This code varied the rotationalspeed of the centrifuges overmonths wearing them out andinhibiting uranium enrichment.
ICS & SCADA ChallengesICS & SCADA Challenges
Design with No SecurityDesign with No Security
Clear text transmissionsClear text transmissions
Patching (Firmware Update)Patching (Firmware Update)
Remote locationsRemote locations
Remote access requirementsRemote access requirements
Vulnerability trackingVulnerability tracking
StandardizationStandardization
Downtime for maintenanceDowntime for maintenance
Unsupported OSUnsupported OS
24
Exposed to public networks
Unable to pen-test inproduction
No time for remediation
Share accounts or noauthentication
Connecting IT & OT
Skill set – Proficiency
Exposed to public networks
Unable to pen-test inproduction
No time for remediation
Share accounts or noauthentication
Connecting IT & OT
Skill set – Proficiency
Different from C.I.A., ICS needs …Different from C.I.A., ICS needs …
25
Timeliness: responsiveness, freshness of data
Ref: A Taxonomy of Cyber Attacks on SCADA Systems, Zhu et al., UC Berkeley.
Availability: unexpected outages
Integrity: genuine data displayed and received by the controller
Confidentiality: Information regarding SCADA not availableto any unauthorized individual
Graceful degradation: to provide sufficient time for responseand possible evacuation
Defending ICSDefending ICS
Harden Cyber-Physical InterfaceHarden Cyber-Physical Interface
Separate control network from enterprise networkSeparate control network from enterprise network
Harden interior of control networkHarden interior of control network
Harden field sites and partner connectionsHarden field sites and partner connections
Monitor both perimeter and inside eventsMonitor both perimeter and inside events
Periodically scan for changes in security posturePeriodically scan for changes in security posture
Harden Control SystemsHarden Control Systems
Model attacks as disturbances affecting the system state andmeasurementsModel attacks as disturbances affecting the system state andmeasurements
Design special detectors to identify attacksDesign special detectors to identify attacks
Logical Overlay on ISA99 / Purdue Model of ControlLogical Overlay on ISA99 / Purdue Model of Control
Site Business Planning and Logistics Network
Batch
Control
Discrete
Control
Supervisory
Control
Hybrid
Control
Supervisory
Control
Enterprise Network
PatchMgmt
Web ServicesOperations
AVServer
ApplicationServer
Email, Intranet, etc.
Production
Control
Historian
Optimizing
Control
Engineering
Station
Continuous
Control
TerminalServices
Historian(Mirror)
Site Operationsand Control
AreaSupervisoryControl
BasicControl
Process
Control
Zone
Enterprise
Zone
DMZ
Level 5
Level 3
Level 1
Level 0
File Server_Updated2005
File Server_Updated2005
File Server_Updated2005
File Server_Updated2005
File Server_Updated2005
File Server_Updated2005
Level 2
Level 4
HMI
HMI
Logical ArchitectureLogical Architecture
Enterprise Zone contains typical business systemsEnterprise Zone contains typical business systems
Email, web, office apps, etc.Email, web, office apps, etc.
DMZ provides business connectivityDMZ provides business connectivity
Contains only non-critical systems that need access toboth Control and Enterprise ZonesContains only non-critical systems that need access toboth Control and Enterprise Zones
Enforces separation between Enterprise and ControlZonesEnforces separation between Enterprise and ControlZones
Consists of multiple functional sub-zonesConsists of multiple functional sub-zones
Separated by Firewall, IPS, Anti-Virus, etc.Separated by Firewall, IPS, Anti-Virus, etc.
Control Zone demarcates critical control systemsControl Zone demarcates critical control systems
Consists of multiple functional sub-zonesConsists of multiple functional sub-zones
Internally protected by Firewall, IPS, Anti-Virus, etc.Internally protected by Firewall, IPS, Anti-Virus, etc.
WebServicesOperations
Application
Server
Historian
Mirror
DMZ
DMZ—Logical ViewDMZ—Logical View
Patch
Mgmt
AV
Proxy
Terminal
Services
File Server_Updated2005
File Server_Updated2005
File Server_Updated2005
File Server_Updated2005
File Server_Updated2005
File Server_Updated2005
No DirectTraffic
EmergencyDisconnect
EmergencyDisconnect
MultipleFunctionalSub-Zones
VPN
Scan
FW
AV
Host AV
Proxy
Host IPS
IPS
IPS
DMZ Design PrinciplesDMZ Design Principles
DMZ contains non-critical systemsDMZ contains non-critical systems
Multiple functional security sub-zonesMultiple functional security sub-zones
Traffic between sub-zones undergoes firewall (& IPS or IDS)Traffic between sub-zones undergoes firewall (& IPS or IDS)
DMZ is only path in/out of Control ZoneDMZ is only path in/out of Control Zone
Default deny for all firewall interfacesDefault deny for all firewall interfaces
No direct traffic across DMZNo direct traffic across DMZ
No control traffic to outsideNo control traffic to outside
Limited outbound traffic from Control ZoneLimited outbound traffic from Control Zone
Very limited inbound traffic to Control ZoneVery limited inbound traffic to Control Zone
No common ports between outside & insideNo common ports between outside & inside
Emergency disconnect at inside or outsideEmergency disconnect at inside or outside
No network management from outsideNo network management from outside
Cryptographic VPN and Firewall to all 3rd party connectionsCryptographic VPN and Firewall to all 3rd party connections
Control view of CPS AttacksControl view of CPS Attacks
31
Physical System
Sensor
Control System
Actuator
y’ not y:
Sensor
compromised
u’ not u
controller
compromised
Network
 jammed
: Network
Control-theoretic Modeling ofCyberphysical AttacksControl-theoretic Modeling ofCyberphysical Attacks
(𝑩,𝑫) : binary matrices (attack signature)
# of 1’s indicate capability of attacker
 𝐸 𝑥  = 𝐴𝑥+𝐵𝑢 𝑦 = 𝐶𝑥+𝐷𝑢
SystemDynamics
SystemDynamics
Sensor
Measurement
Sensor
Measurement
State+Actuator
Attack Signal
State+Actuator
Attack Signal
Measurement
Attack Signal
Measurement
Attack Signal
Pasqualetti, Fabio, Florian Dorfler, and Francesco Bullo. "Control-theoretic methods for cyberphysical security: Geometric principles for optimal cross-layer resilient controlsystems." IEEE Control Systems 35.1 (2015): 110-127.
Power Distribution SystemPower Distribution System
Power plants 
 𝒈 𝟏 , 𝒈 𝟐 , 𝒈 𝟑  
State: rotor angle 𝜹 and frequency 𝝎 
Transmission lines
 𝒃 𝟏 , 𝒃 𝟐 , 𝒃 𝟑  ,𝒃 𝟒 , 𝒃 𝟓 , 𝒃 𝟔 
State: Phase angle 𝜽
One Sensor: 𝒚= 𝝎 𝟏 
Simplified Swing Model:
33
  𝐼 0 0 0  𝑀 𝑔  0 0 0 0     𝛿   𝜔   𝜃   =−  0 −𝐼 0  𝐿 𝑔𝑔   𝐷 𝑔   𝐿 𝑔𝑙   𝐿 𝑙𝑔  0  𝐿 𝑙𝑙     𝛿 𝜔 𝜃
Inertial
Matrix
Damping coefficient
Matrix
Susceptance
matrix
WECC power system
Power Distribution SystemPower Distribution System
WECC power turns out to be vulnerable to attack on  𝒃 𝟒  and  𝒃 𝟓  lines 
If an attacker has full knowledge of the dynamics, it is possible to inject small phase disturbances  𝒖 𝟏  and  𝒖 𝟐 , so that this happens:
34
WECC power system
Attack DetectabilityAttack Detectability
Definition of Undetectable Attack:
For a system with initial state  𝒙 𝟎 , the attack (𝑩𝒖,𝑫𝒖) is undetectable if 𝒚  𝒙 𝟎, 𝒖,𝒕 =𝒚  𝒙 𝟏 ,𝟎,𝒕  for some initial state  𝒙 𝟏  and for all 𝒕.

In other words, the observed measurements could have been a result of “normal” operations
Question: under what conditions does a system has undetectable attacks?
35
Attack DetectabilityAttack Detectability
Condition of (un)detectability:
An attack (𝑩𝒖,𝑫𝒖) is undetectable if there exist complex value 𝒔, and complex vectors 𝒖 and 𝒙≠𝟎 such that
  𝒔𝑬−𝑨 𝒙−𝑩𝒈 = 𝟎 𝑪𝒙+𝑫𝒈 = 𝟎 

𝒔 is called the “invariance zero” of the system. 
The vectors 𝒙 and 𝒈 can be used to excite the system so that the state trajectory is non-zero while the output is identically zero. 
So, ….
Pasqualetti, Fabio, Florian Dorfler, and Francesco Bullo. "Control-theoretic methods for cyberphysical security: Geometric principles for optimal cross-layer resilient controlsystems." IEEE Control Systems 35.1 (2015): 110-127.
Secure DesignsSecure Designs
Method I: 
Avoid any possible state 𝒙 that can lead to invariant zero condition 
For example, (𝑩,𝑫) are typically sparse so one can enforce state 𝒙 to be mostly non-zero
Method 2: 
Feedback control to move invariant zeros
  𝒔𝑬−𝑨 𝒙−𝑩𝒈 = 𝟎 𝑪𝒙+𝑫𝒈 = 𝟎
𝑦
(𝐸, 𝐴, 𝐵, 𝐶, 𝐷)
𝑢
𝐼−𝐶 𝐶 + 
Bad Data Detector
𝐹
Feedback Controller
+
𝑢