Industrial Internet of Things

Autoscopy Jr.

J. Reeves, A Ramaswamy, M. Locasto, S. Bratus and S.W. Smith

Objectives

  • Secure resource-constrained devices living within power grid networks.
  • Avoid using resource-intensive tools such as hypervisors, and instead use existing pieces of the OS kernel to monitor itself.
  • "Protect Ring 0 from Ring 0”
  • Provide a layer of security while also adhering to the grid's strict timing and availability constraints.

Key Science Methods & Advances

  • Kprobes: Built-in Linux tracing framework that gives us a snapshot of the OS kernel when the probe is reached.
  • ioctl Memory Access: Observe kernel memory directly rather than via mmap.
  • Trusted Location Lists: Model of normal control flow constructed during the learning phase and verified during the detection phase.
  • Improved Indirect Call Heuristics: Simple rules that let us make quick decisions and avoid using complicated disassembly techniques.

Results & Impacts

  • We found that we could protect against control-flow altering rootkits while remaining within the grid's timing constraints.
  • We transferred the Autoscopy Jr. technology to Schweitzer Engineering Laboratories, who incorporated it into their product lines.

Tamper Event Detection on Distributed Infrastructure (TEDDI)

J. Reeves and S. W. Smith

Objectives

  • Protect power grid edge devices (resource-constrained embedded devices that live on the periphery of the network) from physical tampering.
  • Differentiate a wide variety of tamper events, which include malicious attacks, technician maintenance, and natural disaster events.
  • Take a suitable automated tamper response based on the event we detect.
  • Adhere to the grid's timing and availability constraints.

Key Science Methods & Advances

  • We constructed a taxonomy of tamper event types based on real-world examples.
  • We use factor graphs for data fusion, allowing to quickly and simply capture a grid defender's intuition about specific tamper events.
  • We constructed TEDDI, a distributed, sensor-based tamper protection system that detects and addresses both local and wide-area tamper events.
  • We built the TEDDI Generation Tool, an easy-to-use program that lets a grid defender construct a TEDDI system for any arbitrary network.

Results & Impacts

  • TEDDI detected and differentiated tamper events with 99.1% accuracy at the local level and 100% accuracy at the regional level.
  • Our factor graphs were able to make tamper decisions in under 250 μs, even in a worst-case scenario.
  • TEDDI solves the grid defender's dilemma.

Cyber Resilient Energy Delivery Consortium (CREDC)

S.W. Smith, S. Bratus, J. Reeves, P. Anantharaman, J.P Brady, I.R. Jenkins (students) with UIUC, WSU, ASU, Rutgers, MIT, Tennessee State, Oregon State, University of Houston, PNNL, Argonna, ODU

Objectives

  • The go-to academic consortium for the US power industry, since 2005.  Founding member.
  • Make energy delivery system (EDS) cyber infrastructure more secure and resilient.
  • Develop security solutions that operate within the resource and timing constraints of an EDS.
  • Identify vulnerabilities in industrial control system (ICS) protocols, and harden them against future intrusions.

Key Science Methods & Advances

  • YASIR: Bump-in-the-wire crypto device for low-latency SCADA applications.
  • Autoscopy Jr.: IDS for resource-constrained embedded devices within power grid networks.
  • Api-do (successor to KillerBee): Tool suite to evaluate the security of Zigbee network deployments.
  • FaeriePlay: secure execution environment for power auctions
  • ABUSE: PKI tools to enable grid operators to make real-world trust judgments about communications in emergency scenarios
  • XUTools: Tool suite to analyze security policies and how they change over time.
  • TEDDI: Distributed, sensor-based tamper protection system for embedded devices.
  • Secure Conduits: Hot-patching system for replacing vulnerable sections of legacy code with secure code.
  • MQTT/Macaroons: Key management scheme that can create and verify keys within EDS time constraints.

Results & Impact

  • Bi-annual summer schools on security and energy, for industry, government, and academia
  • Twice-yearly industry workshops
  • Autoscopy Jr. was transferred to Schweitzer Engineering Laboratories and incorporated into their product lines.
  • Api-do was spun off into River Loop Security, a startup company specializing in pen testing, risk assessment, and reverse engineering.
  • Our MQTT/Macaroons work has attracted the attention of several companies, who would like to use the work in their future products.
  • “Best paper” accolade from IJSSE
  • CREDC website
  • TCIPG website

Rapid Attack Detection, Isolation and Characterization (RADICS)

J. Reeves, S. Bratus, S.W. Smith, P. Anantharaman, M. Millian (students) with SRI, NYU, NARF, EPRI

Objectives

  • Recover from attacks against critical infrastructure
  • Identify the methods and behaviors of malware present in a compromised substation
  • Reconfigure and harden the substation against future attacks

Key Science Methods & Advances

  • Defined secure subsets of popular ICS protocols (DNP3, Modbus, IEC 61850, etc.) using our LangSec principles
  • Implemented specialized input parsers based on these subsets to protect devices from malformed and/or malicious packets
  • Identified and cataloged data/configuration changes made by compromised devices
  • Investigated ways to modify packets to signify when devices are clean and detect if they are re-compromised.
  • Incorporated our design into TIGR, a custom-built appliance that can be plugged into a compromised substation to gather info and begin recovery efforts.

Results & Impacts

  • In sponsor exercises, TIGR was able to identify the devices, protocols, and malware found inside an example substation.
  • Standalone TIGR prototypes are currently under construction.

Part of the CREDC/TCIPG/TCIP Project

Scalable Identity and Key Management for Pub-Sub Protocols in Energy Delivery Systems

Prashant Anantharaman, Sean W. Smith (Dartmouth) with Kartik Palani, Elizabeth Reed and David M. Nicol (Illinois)

Objectives

  • Demonstrate the effectiveness of our scheme on MQTT and GOOSE energy delivery protocols.
  • Build a system resilient to active server compromises throughout the life-cycle of EDS devices, and that can perform reliable revocation.
  • In case of device compromise, only the channels the device has access to are compromised.
  • Assign separate keys for long lasting assertions like the identity, and short lasting ones like accesses to channels.

Key Science Methods & Advances

  • Each device has two identities
    • A core identity
    • Association attributes
  • An attribute can be formalized as a tuple
  • (P,O,Δ).
  • The core identity (long lived) assertions are made by the deployer, while attribute assertions (short lived) are made by controllers.

Results & Impacts

  • We generate session keys resilient to Known-key attacks, online and offline dictionary attacks, and provides forward secrecy. We also proved that the shared secret used to generate the sessions keys is never leaked (Using the proverif verification tool).
  • Our scheme was faster than the prescribed latency for the GOOSE protocol (4 ms).

Strong Authentication with Low Latency on Slow Legacy SCADA/ICS Networks

P. Tsang, R. Solomakhim, P. Johnson, S.W. Smith (Dartmouth)

Objectives

  • Critical control and data messages require authenticity---an adversary can cause havoc by forging things
  • Power SCADA requires low latency
  • The legacy power SCADA networks are low bandwidth (and these legacy networks will persist for the foreseeable future)
  • How do we get high security, with low latency, over slow lines?

Key Science Methods & Advances

  • Add a bump-in-the-wire at each end.
  • YASIR
    • operate on a stream of bytes rather than larger blocks
    • use HMAC-SHA-1-96
    • receiver BITW forwards payload data immediately, but, introduces a CRC error if HMAC fails thus turning malicious error into random error, which legacy devices handle

Results & Impact

  • Implementations in software code and in FPGA code.
  • P. Tsang and S.W. Smith. “YASIR: A Low-Latency, High-Integrity Security Retrofit for Legacy SCADA Systems.” 23rd International Information Security Conference (SEC 2008). Springer-Verlag LNCS. August 2008.
  • R. Solomakhin, P. Tsang, S.W. Smith. “Predictive YASIR: High Security with Lower Latency in Legacy SCADA.” Critical Infrastructure IV: Proceedings of the Fifth Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection. Springer, 2010. 63--80.