Vincent Urias

Supervisory Command and Data Acquisition (SCADA) system cyber security analysis using a live, virtual, and constructive (LVC) testbed

Modern critical infrastructure systems are built on a hodgepodge of complex, interconnected information systems for control and management. For electric power, the critical infrastructure includes the physical systems; comprised of power generation, transmission and distribution capabilities. The control of the physical systems is accomplished via Supervisory Command and Data Acquisition (SCADA) systems. The SCADA systems employ both new and legacy systems along with many of the same information system devices as traditional business information systems. SCADA system networks, just as business information system networks, are connected to external networks, including the Internet. Thus, SCADA systems are vulnerable to the same classes of threats as other networked computer systems in addition to threats associated with their legacy systems. Many of these systems have been put in place for decades and often have an unknown security posture. Cyber security analysis of these systems remains a significant challenge. Traditional techniques such as red-teaming, vulnerability assessments, and penetration testing are often unsatisfactory and limited in scope because power utilities do not want to risk taking the systems off-line or degrading or damaging the expensive equipment. The consequence is that the effects of a cyber-attack on these SCADA systems are often unknown. In order to provide greater SCADA system security posture insight to utilities and administrators, security experts must perform security analysis. To overcome the problems with security analysis using either an exclusive hardware SCADA testbed or a simulation of a SCADA system, Sandia National Labs has developed a cyber-security analysis capability using physical hardware, extensive virtualization and emulated machines, and simulation to answer complex system questions about SCADA systems. In this paper we will discuss the methodology, several use-cases that were executed during the course of the study which leverage the methodology, the types of cyber-attacks that can be assessed and the class of questions security professionals can now ask and answer about cyber-attacks against SCADA systems.

Performing cyber security analysis using a live, virtual, and constructive (LVC) testbed

Cyber security analysis tools are necessary to evaluate the security, reliability, and resilience of networked information systems against cyber attack. It is common practice in modern cyber security analysis to separately utilize real systems computers, routers, switches, firewalls, computer emulations (e.g., virtual machines) and simulation models to analyze the interplay between cyber threats and safeguards. In contrast, Sandia National Laboratories has developed new methods to combine these evaluation platforms into a cyber Live, Virtual, and Constructive (LVC) testbed. The combination of real, emulated, and simulated components enables the analysis of security features and components of a networked information system. When performing cyber security analysis on a target system, it is critical to represent realistically the subject security components in high fidelity. In some experiments, the security component may be the actual hardware and software with all the surrounding components represented in simulation or with surrogate devices. Sandia National Laboratories has developed a cyber LVC testbed that combines modeling and simulation capabilities with virtual machines and real devices to represent, in varying fidelity, secure networked information system architectures and devices. Using this capability, secure networked information system architectures can be represented in our testbed on a single computing platform. This provides an “experiment-in-a-box” capability. The result is rapidly produced, large scale, relatively low-cost, multi-fidelity representations of networked information systems. These representations enable analysts to quickly investigate cyber threats and test protection approaches and configurations.

Operational cost of deploying Moving Target Defenses defensive work factors

Moving Target Defense (MTD) is the concept of controlling change across multiple information system dimensions with the objective of increasing uncertainty and complexity for attackers. Increased uncertainty and complexity will increase the costs of malicious probing and attack efforts and thus prevent or limit network intrusion. As MTD increases complexity of the system for the attacker, the MTD also increases complexity in the desired operation of the system. This introduced complexity results in more difficult network troubleshooting and can cause network degradation or longer network outages. In this research paper the authors describe the defensive work factor concept. Defensive work factors considers in detail the specific impact that the MTD approach has on computing resources and network resources. Measuring impacts on system performance along with identifying how network services (e.g., DHCP, DNS, in-place security mechanisms) are affected by the MTD approach are presented. Also included is a case study of an MTD deployment and the defensive work factor costs. An actual experiment is constructed and metrics are described for the use case.

Cyber security analysis testbed: Combining real, emulation, and simulation

Cyber security analysis tools are necessary to evaluate the security, reliability, and resilience of networked information systems against cyber attack. It is common practice in modern cyber security analysis to separately utilize real systems of computers, routers, switches, firewalls, computer emulations (e.g., virtual machines) and simulation models to analyze the interplay between cyber threats and safeguards. In contrast, Sandia National Laboratories has developed novel methods to combine these evaluation platforms into a hybrid testbed that combines real, emulated, and simulated components. The combination of real, emulated, and simulated components enables the analysis of security features and components of a networked information system. When performing cyber security analysis on a system of interest, it is critical to realistically represent the subject security components in high fidelity. In some experiments, the security component may be the actual hardware and software with all the surrounding components represented in simulation or with surrogate devices. Sandia National Laboratories has developed a cyber testbed that combines modeling and simulation capabilities with virtual machines and real devices to represent, in varying fidelity, secure networked information system architectures and devices. Using this capability, secure networked information system architectures can be represented in our testbed on a single, unified computing platform. This provides an “experiment-in-a-box” capability. The result is rapidly-produced, large-scale, relatively low-cost, multi-fidelity representations of networked information systems. These representations enable analysts to quickly investigate cyber threats and test protection approaches and configurations.

Challenges to securing the Internet of Things

Great advances in technology have paved the way for the computerization and interconnectedness of the world around us. The Internet of Things (IoT) describes a network comprised of physical objects or “things” embedded with electronics, software, sensors and connectivity to achieve greater value and service by exchanging data with manufacturers, users, and/or other connected devices. However, it is often the case that some of these devices are constrained by limited processing power, memory, and power consumption. These limitations may enable adverse effects as the IoT becomes pervasive, reaching into infrastructure, vehicles, and homes. As history has shown, the architects of the Internet were focused primarily on the efficiency and scaling aspects of data transfer protocols; at the dawn of the Internet, network and computer security were vacant research areas. The current trend shows the IoT market growing at an accelerated rate - will security again become an afterthought? The goal of this paper is to provide to not only a better understanding of the various IoT domains, but to survey the shortcomings and challenges to securing IoT devices and their interactions with cloud and enterprise applications.

Empirical assessment of network-based Moving Target Defense approaches

Moving Target Defense (MTD) is based on the notion of controlling change across various system attributes with the objective of increasing uncertainty and complexity for attackers; the promise of MTD is that this increased uncertainty and complexity will increase the costs of attack efforts and thus prevent or limit network intrusions. As MTD increases complexity of the system for the attacker, the MTD also increases complexity and cost in the desired operation of the system. This introduced complexity may result in more difficult network troubleshooting and cause network degradation or longer network outages, and may not provide an adequate defense against an adversary in the end. In this work, the authors continue MTD assessment and evaluation, this time focusing on application performance monitoring (APM) under the umbrella of Defensive Work Factors, as well as the empirical assessment of a network-based MTD under Red Team (RT) attack. APM provides the impact of the MTD from the perspective of the user, whilst the RT element provides a means to test the defense under a series of attack steps based on the LM Cyber Kill Chain.

Computer network deception as a Moving Target Defense

Computer Network Defense (CND) has traditionally been provided using reactionary tools such as signature-based detectors, white/blacklisting, intrusion detection/protection systems, etc. While event detection/correlation techniques may identify threats - those threats are then dealt with manually, often employing obstruction-based responses (e.g., blocking). Literature has shown that as threat sophistication grows, perimeter-planted security efforts are ineffective in combating competent adversaries; malicious actors are already seated behind enterprise defenses, navigating the controls. We have developed a novel approach to CND: the Deception Environment. Under the Deception Environment framework, we have created a live, unpredictable, and adaptable deception network leveraging virtualization/cloud technology, software defined networking, introspection and analytics. The environment not only provides the means to identify and contain the threat, but also facilitates the ability to study, understand, and develop protections against sophisticated adversaries. Its extensibility has enabled us to explore its application as a Moving Target Defense (MTD).

Gathering threat intelligence through computer network deception

The threat landscape is changing significantly; complexity and rate of attacks is ever increasing, and the network defender does not have enough resources (people, technology, intelligence, context) to make informed decisions. The need for network defenders to develop and create proactive threat intelligence is on the rise. Network deception may provide analysts the ability to collect raw intelligence about threat actors as they reveal their Tools, Tactics and Procedures (TTP). This increased understanding of the latest cyber-attacks would enable cyber defenders to better support and defend the network, thereby increasing the cost to the adversary by making it more difficult to successfully attack an enterprise. Using a deception framework, we have created a live, unpredictable, and adaptable Deception Environment leveraging virtualization/cloud technology, software defined networking, introspection and analytics. The environment not only provides the means to identify and contain the threat, but also facilitates the ability to study, understand, and develop protections against sophisticated adversaries. By leveraging actionable data, in real-time or after a sustained engagement, the Deception Environment may be easily modified to interact with and change the perception of the adversary on-the-fly. This ability to change what and where the attacker is on the network, as well as change and modify the content of the adversary on exfiltration and infiltration, is the defining novelty of our Deception Environment.

Cyber analysis emulation platform for wireless communication network protocols

Wireless networking and mobile communications is increasing around the world and in all sectors of our lives. With increasing use, the density and complexity of the systems increase with more base stations and advanced protocols to enable higher data throughputs. The security of data transported over the wireless networks must also evolve with the advances in technologies enabling the more capable wireless networks. However, means for analysis of the effectiveness of security approaches and implementations used on wireless networks are lacking. More specifically a capability to analyze the lower-layer protocols (i.e., Link and Physical Layers) is a major challenge. An analysis approach that incorporates protocol implementations without the need for RF emissions is necessary. In this research paper several emulation tools and custom extensions that enable an analysis platform to perform cyber security analysis of lower-layer wireless networks is presented. A use case of a published exploit in the 802.11 (i.e., WiFi) protocol family is provided to demonstrate the effectiveness of the described emulation platform.

Technologies to enable cyber deception

Computer network defense has traditionally been provided using reactionary tools such as signature-based detectors, white/blacklisting, intrusion detection/protection systems, etc. While event detection/correlation techniques may identify threats — those threats are then dealt with manually, often employing obstruction-based responses (e.g., blocking). As threat sophistication grows, we find these perimeter-planted security efforts ineffective in combating competent adversaries. In 2015 Gartner, Inc. examined the potential for organizations to use deception as a strategy for thwarting attackers and making it costlier for adversaries to engage in threat campaigns. In todays current research, there are a limited number of deception platforms (tools, etc.) that have successfully been shown to enable strategic deception in a computer network operations environment. Through a deception framework, we conjecture that deception platforms can aid and assist in deceiving the adversary by: obscuring the real target, devaluing information gathering, causing the adversary to waste time and resources, forcing the adversary to reveal advanced capabilities, exposing adversary intent, increasing the difficulty of attack planning, limiting the scope of the attack, and limiting the duration of a successful attack. The objective of this paper is to survey the technological trends in cyber deception research, identify gaps in the techniques, and provide research in the emergent environment. Current findings suggest that network deception tools are attracting the interest of researchers as a valuable security technique that can be implemented to learn more about the nature of cyber attacks; however, there are significant shortcomings in the current approaches and the ability to reason about the adversary.