Towards Understanding Man-In-The-Middle Attacks on IEC 60870-5-104 SCADA Networks

This paper investigates cyber attacks on ICS which rely on IEC 60870-5-104 for telecontrol communications. The main focus of the paper is on man-in-the-middle attacks, covering modification and injection of commands, it also details capture and replay attacks. An initial set of attacks are preformed on a local software simulated laboratory. Final experiments and validation of a man-in-the-middle attack are performed in a comprehensive testbed environment in conjunction with an electricity distribution operator.

Empirical evaluation of multi-device profiling side-channel attacks

Side-channel analysis of cryptographic systems can allow for the recovery of secret information by an adversary even where the underlying algorithms have been shown to be provably secure. This is achieved by exploiting the unintentional leakages inherent in the underlying implementation of the algorithm in software or hardware. Within this field of research, a class of attacks known as profiling attacks, or more specifically as used here template attacks, have been shown to be extremely efficient at extracting secret keys. Template attacks assume a strong adversarial model, in that an attacker has an identical device with which to profile the power consumption of various operations. This can then be used to efficiently attack the target device. Inherent in this assumption is that the power consumption across the devices under test is somewhat similar. This central tenet of the attack is largely unexplored in the literature with the research community generally performing the profiling stage on the same device as being attacked. This is beneficial for evaluation or penetration testing as it is essentially the best case scenario for an attacker where the model built during the profiling stage matches exactly that of the target device, however it is not necessarily a reflection on how the attack will work in reality. In this work, a large scale evaluation of this assumption is performed, comparing the key recovery performance across 20 identical smart-cards when performing a profiling attack.

Investigating Cyber-Physical Attacks against IEC 61850 Photovoltaic Inverter Installations

Cyber-attacks against Smart Grids have been found in the real world. Malware such as Havex and BlackEnergy have been found targeting industrial control systems (ICS) and researchers have shown that cyber-attacks can exploit vulnerabilities in widely used Smart Grid communication standards. This paper addresses a deep investigation of attacks against the manufacturing message specification of IEC 61850, which is expected to become one of the most widely used communication services in Smart Grids. We investigate how an attacker can build a custom tool to execute man-in-the-middle attacks, manipulate data, and affect the physical system. Attack capabilities are demonstrated based on NESCOR scenarios to make it possible to thoroughly test these scenarios in a real system. The goal is to help understand the potential for such attacks, and to aid the development and testing of cyber security solutions. An attack use-case is presented that focuses on the standard for power utility automation, IEC 61850 in the context of inverter-based distributed energy resource devices; especially photovoltaic (PV) generators.

Can Leakage Models Be More Efficient? Non-Linear Models in Side Channel Attacks

In the last decade, many side channel attacks have been published in academic literature detailing how to efficiently extract secret keys by mounting various attacks, such as differential or correlation power analysis, on cryptosystems. Among the most efficient and widely utilized leakage models involved in these attacks are the Hamming weight and distance models which give a simple, yet effective, approximation of the power consumption for many real-world systems. These leakage models reflect the number of bits switching, which is assumed proportional to the power consumption. However, the actual power consumption changing in the circuits is unlikely to be directly of that form. We, therefore, propose a non-linear leakage model by mapping the existing leakage model via a transform function, by which the changing power consumption is depicted more precisely, hence the attack efficiency can be improved considerably. This has the advantage of utilising a non-linear power model while retaining the simplicity of the Hamming weight or distance models. A modified attack architecture is then suggested to yield the correct key efficiently in practice. Finally, an empirical comparison of the attack results is presented.

Gramsci, austerity common sense and the attacks on the welfare state: The need to understand and resist the imposition of the global neoliberal agenda and the role of the social work profession.

During the last 30 years governments almost everywhere in the world are furthering a global neoliberal agenda by withdrawing the state from the delivery of services, decreasing social spending and lowering corporate taxation etc. This restructuring has led to a massive transfer of wealth from the welfare state and working class people into capital. In order to legitimize this restructuring conservative governments engage in collective blaming towards their denizens. This presentation will examine some of the well circulated phrases that have been used by the dominant elite in some countries during the last year to legitimize the imposition of austerity measures. Phrases such as, ‘We all partied’ used by the Irish finance minister, Brian Lenihan, to explain the Irish crisis and collectively blame all Irish people, ‘We must all share the pain’, deployed by another Irish Minister Gilmore and the UK coalition administration’s sound bite ‘We are all in this together’, legitimize the imposition of austerity measures. Utilizing the Gramscian concept of common sense (Gramsci, 1971), I call these phrases ‘austerity common sense’. They are austerity common sense because they both reflect and legitimate the austerity agenda. By deploying these phrases, the ruling economic and political elite seek to influence the perception of the people and pre-empt any intention of resistance. The dominant theme of these phrases is that there is no alternative and that austerity measures are somehow self-inflicted and, as such, should not be challenged because we are all to blame. The purpose of this presentation is to explore the “austerity common sense” theme from a Gramscian approach, focus on its implications for the social work profession and discuss the ways to resist the imposition of the global neoliberal agenda.

Detecting stealthy attacks: Efficient monitoring of suspicious activities on computer networks

Stealthy attackers move patiently through computer networks - taking days, weeks or months to accomplish their objectives in order to avoid detection. As networks scale up in size and speed, monitoring for such attack attempts is increasingly a challenge. This paper presents an efficient monitoring technique for stealthy attacks. It investigates the feasibility of proposed method under number of different test cases and examines how design of the network affects the detection. A methodological way for tracing anonymous stealthy activities to their approximate sources is also presented. The Bayesian fusion along with traffic sampling is employed as a data reduction method. The proposed method has the ability to monitor stealthy activities using 10-20% size sampling rates without degrading the quality of detection.

Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid

The BlackEnergy malware targeting critical infrastructures has a long history. It evolved over time from a simple DDoS platform to a quite sophisticated plug-in based malware. The plug-in architecture has a persistent malware core with easily installable attack specific modules for DDoS, spamming, info-stealing, remote access, boot-sector formatting etc. BlackEnergy has been involved in several high profile cyber physical attacks including the recent Ukraine power grid attack in December 2015. This paper investigates the evolution of BlackEnergy and its cyber attack capabilities. It presents a basic cyber attack model used by BlackEnergy for targeting industrial control systems. In particular, the paper analyzes cyber threats of BlackEnergy for synchrophasor based systems which are used for real-time control and monitoring functionalities in smart grid. Several BlackEnergy based attack scenarios have been investigated by exploiting the vulnerabilities in two widely used synchrophasor communication standards: (i) IEEE C37.118 and (ii) IEC 61850-90-5. Specifically, the paper addresses reconnaissance, DDoS, man-in-the-middle and replay/reflection attacks on IEEE C37.118 and IEC 61850-90-5. Further, the paper also investigates protection strategies for detection and prevention of BlackEnergy based cyber physical attacks.