Jonathan Butts

A TAXONOMY OF ATTACKS ON THE DNP3 PROTOCOL

Distributed Network Protocol (DNP3) is the predominant SCADA protocol in the energy sector – more than 75% of North American electric utilities currently use DNP3 for industrial control applications. This paper presents a taxonomy of attacks on the protocol. The attacks are classified based on targets (control center, outstation devices and network/communication paths) and threat categories (interception, interruption, modification and fabrication). To facilitate risk analysis and mitigation strategies, the attacks are associated with the specific DNP3 protocol layers they exploit. Also, the operational impact of the attacks is categorized in terms of three key SCADA objectives: process confi- dentiality, process awareness and process control. The attack taxonomy clarifies the nature and scope of the threats to DNP3 systems, and can provide insights into the relative costs and benefits of implementing mitigation strategies.

Security analysis of the ADS-B implementation in the next generation air transportation system

Abstract The US Federal Aviation Administration’s Next Generation (NextGen) upgrade proposes a fundamental transformation that is intended to increase the capacity and safety of the air transportation system. A key component of the upgrade is the Automatic Dependent Surveillance Broadcast (ADS-B) system. ADS-B provides continual broadcast of aircraft position, identity, velocity and other information over unencrypted data links to generate a precise air picture for air traffic management. The Federal Aviation Administration claims that operational requirements necessitate the use of unencrypted data links and maintains that there is a low likelihood of malicious exploitation. This paper analyzes the security vulnerabilities associated with the ADS-B implementation. It describes a taxonomy of attacks and examines the potential impact that the attacks may have on air transportation operations. The taxonomy helps provide a comprehensive understanding of the threats associated with the ADS-B implementation, thereby supporting risk analysis and risk management efforts. The paper also provides recommendations that could enhance security if integrated into the ADS-B implementation plan.

Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices

Abstract The Shodan computer search engine has received significant attention due to its ability to identify and index Internet-facing industrial control system components. Industrial control systems are employed in numerous critical infrastructure assets, including oil and gas pipelines, water distribution systems, electrical power grids, nuclear plants and manufacturing facilities. The ability of malicious actors to identify industrial control devices that are accessible over the Internet is cause for alarm. Indeed, Shodan provides attackers with a powerful reconnaissance tool for targeting industrial control systems. This paper investigates the functionality of the Shodan computer search engine. In the experiments, four Allen-Bradley ControlLogix programmable logic controllers were deployed in an Internet-facing configuration to evaluate the indexing and querying capabilities of Shodan: all four programmable logic controllers were indexed and identified by Shodan within 19 days. This paper also describes a potential mitigation strategy that employs service banner manipulation to limit the exposure to Shodan queries.

Firmware modification attacks on programmable logic controllers

Abstract Recent attacks on industrial control systems, such as the highly publicized Stuxnet malware, have intensified a “race to the bottom” where lower-level attacks have a tactical advantage. Programmable logic controller (PLC) firmware, which provides a software-driven interface between system inputs and physical outputs, can be easily modified at the user level. Efforts directed at protecting against firmware modification are hindered by the lack of foundational research about attack development and implementation. This paper examines the vulnerability of PLCs to intentional firmware modifications in order to obtain a better understanding of the threats posed by PLC firmware modification attacks and the feasibility of these attacks. A general firmware analysis methodology is presented, and a proof-of-concept experiment is used to demonstrate how legitimate firmware can be updated and uploaded to an Allen-Bradley ControlLogix L61 PLC.

Enhancing the security of aircraft surveillance in the next generation air traffic control system

Abstract The U.S. air traffic control system is reliant on legacy systems that artificially limit air traffic capacity. With the demand for air transportation increasing each year, the U.S. Federal Aviation Administration has introduced the Next Generation (NextGen) upgrade to modernize the air traffic control system. Automatic Dependent Surveillance-Broadcast (ADS-B), a key component of the NextGen upgrade, enables an aircraft to generate and broadcast digital messages that contain the GPS coordinates of aircraft. The incorporation of ADS-B is intended to provide enhanced accuracy and efficiency of surveillance as well as aircraft safety. The open design of the system, however, introduces some security concerns. This paper evaluates the limitations of the legacy systems currently used in air traffic control and explores the feasibility of employing format-preserving encryption, specifically the FFX algorithm, in the ADS-B environment. The ability of the algorithm to confuse and diffuse predictable message input is examined using message entropy as a metric. Based on the analysis, recommendations are provided that highlight areas which should be examined for inclusion in the ADS-B upgrade plan.

Evaluation of security solutions in the SCADA environment

Supervisory Control and Data Acquisition (SCADA) systems control and monitor the electric power grid, water treatment facilities, oil and gas pipelines, railways, and other critical infrastructure assets. With the advent of greater connectivity via the Internet, organizations that own and operate these systems have increasingly interconnected them with their enterprise network to take advantage of cost savings and operational benefits. Now, these once isolated systems are susceptible to a wider range of threats resulting from new pathways into the network that previously did not exist. Recommendations for safeguarding SCADA systems include employment of traditional information technology (IT) security solutions; however, mitigation strategies designed for IT systems must first be evaluated prior to deployment on a SCADA system to quantify and to minimize the risk of adverse operational impacts. This article examines the employment of traditional IT security mechanisms in the SCADA environment. We provide considerations that should be evaluated prior to deploying security controls to mitigate negative impacts on operations. A case study is provided that evaluates a host-based intrusion detection system and a petrochemical fuels management SCADA system.

Developing an insider threat model using functional decomposition

Addressing the insider threat using a systematic and formulated methodology is an inherently difficult process. This is because the problem is typically viewed in an abstract manner and a sufficient method for defining a way to categorically represent the threat has not been developed. The solution requires a security model that clearly identifies a process for classifying malicious insider activities. To be effective the model must compartmentalize the threat and attack it consistently. The purpose of this paper is to present a methodology for accurately defining the malicious insider and describe a process for addressing the threat in a systematic manner. Our model presents a definable taxonomy of the malicious insider and demonstrates a method for decomposing the abstract threat into a solvable and analyzable process.

An evaluation of modification attacks on programmable logic controllers

Abstract Unprotected supervisory control and data acquisition (SCADA) systems offer promising targets to potential attackers. Field devices, such as programmable logic controllers (PLCs), are of particular concern because they directly monitor and control industrial processes. Although attacks targeting SCADA systems have increased, relatively little research has focused on exploring the vulnerabilities directly associated with the exploitation of field devices. Attacks such as Stuxnet have targeted operating characteristics, but not low-level firmware code. As attacks increase in sophistication, it is reasonable to expect increased exploitation of the field device firmware. This paper examines the feasibility of modifying PLC firmware to execute remotely-triggered attacks. A general method is used to reverse engineer the firmware to determine its structure. After the structure is understood, the firmware is modified to add an exploitable feature that can remotely disable a PLC. The attacks described in this paper utilize a variety of triggers and leverage existing functions to exploit PLCs. Important segments of the firmware are described to demonstrate how they can be used in attack development. Finally, design recommendations are suggested to help mitigate potential weaknesses in future firmware development.

Applying public health strategies to the protection of cyberspace

Abstract Modern society has made massive strides in public health that have contributed to the quality of life we enjoy today. However, the current cyberspace health environment is arguably similar to the public health environment that existed in nineteenth century New York City, if not Europe during the Middle Ages. How would the critical infrastructure cope with a pandemic cyberspace infection with the virulence and potency of the Black Death? This paper presents a strategy for cyberspace health that is inspired by constructs and initiatives in the public health domain. The strategy has five components: (i) sanitizing the environment; (ii) controlling community infections; (iii) educating the actors; (iv) organizing detection and prevention services; and (v) creating the social machinery for cyberspace health.

ADS-B encryption: confidentiality in the friendly skies

The US Federal Aviation Administration is proposing an upgrade to air transportation that will fundamentally overhaul the current, aging system. A key component, the automatic dependent surveillance broadcast (ADS-B) system, will enhance air traffic monitoring and control by requiring aircraft to continually broadcast position, identity and velocity via unencrypted data links to ground stations. Although ADS-B may enhance air traffic safety and support the increase in traffic demands, open broadcast of clear aircraft data points raise serious security concerns. The ability to encrypt ADS-B message transactions would afford protection to ensure that the confidentiality of aircraft data is not compromised. The implementation of an encryption framework for a large, distributed and dynamic system, however, is nontrivial. This paper examines encryption schemes and highlights challenges associated with implementing confidentiality security protections for the ADS-B environment.