Analysing and Detecting Advanced Multi-stage Attacks against ICS (ADAMA)

Lead Research Organisation: Queen's University of Belfast
Department Name: Electronics Electrical Eng and Comp Sci


Industrial Control Systems (ICS) are used in sectors such as energy, manufacturing, transport, etc., and consequently play a fundamental role in the operation of many critical national infrastructures. In the last few decades ICS have evolved to incorporate new capabilities and connectivity, provided by integrating modern information and communications technology (ICT). However, a significant problem that has emerged due to this new set of technologies and high degree of interconnectivity is that ICS have become exposed to the myriad security problems that beset traditional ICT systems.

Of great concern is the trend towards advanced multi-stage attacks against ICS, which continue to emerge. These can involve remote exploitation and lateral movements (pivots) across multiple systems. Recent attacks suggest that traditional crimeware type malware is being adapted explicitly for ICS; e.g. BlackEnergy and Havex exhibit malware modules that appear to have been developed to target ICS features and vulnerabilities. New threats against ICS supporting national infrastructures continue to emerge, and criminal and state entities are known to be targeting such systems. Consequently it is of great importance that we analyse and understand how advanced attacks against ICS behave and can be better detected.

Common initial attack vectors include highly targeted spear-phishing against executives or engineers with valuable credentials, or opportunistic watering hole attacks against websites of specific interest to ICS personnel. Following the initial infiltration of an ICS network, the malware will likely try to execute actions including escalating its privileges on the host system, attempting to connect to a command and control server, downloading further payload packages, enumerating the network, pivoting and propagate further, exfiltrating data, and so on. A highly targeted, or "weaponised", payload is likely to enumerate ICS devices on the network or attempt to sniff and identify particular ICS related network traffic.

Detecting advanced multi-stage attacks is difficult in IT systems, but approaches towards detection and response for ICS are comparatively less mature. Moreover, attacks discovered in the wild continue to evolve in sophistication. Stopping such attacks demands continual monitoring of the infrastructure and it is difficult to provide operators with targeted security status information in the face of advanced multi-stage ICS threats.

This research aims to develop and test an approach that enhances real-time cyber-security monitoring capabilities for networked ICS environments. The objective is to present information to an operator that is more closely correlated to advanced multi-stage threats, rather than individual alerts, thereby improving the ability of the operator to gauge the current security status of the system.

A threat measurement based approach will be used to investigate how the real-time cyber-security status of an ICS network environment can be measured in terms of an observable threat presence. It is hypothesised that such a status can be appraised by using suitable metrics, which may be derived by analysing, decomposing and modelling known advanced multistage threats. The analysis will target the development of threat models based on a combination of reported ICS attacks and an investigation of future potential advanced threats based on emerging trends in crimeware. A proposed solution will be implemented and tested in a test-bed environment based on a realistic factory automation environment.

Planned Impact

This research will have an impact on the industrial partners who have supported this project. The anticipated outcomes to improve attack detection will be tested in a factory automation environment where the design is specified with input and advice from Airbus. The intention is to make the impact of this research as directly transferable as possible to the real factory environments managed by the Airbus Cyber Security Team. The intended impact is to support the Airbus team in enhancing and understanding advanced ICS attack detection approaches, enabling the research to be directly applied to production environments.

Intended academic beneficiaries particularly include projects and colleagues at the RITICS institute, which also comprises industry and government board members. The results in analysing and modeming attacks, and developing metrics from a detection perspective is intended to impact and inform the research in risk within RITICS, by contributing additional knowledge to those projects. The threat modelling and metrics identified will also enhance the impact the research undertaken in the QUB project CAPRICA, which is part of RITICS, by allowing additional practical analyses to be carried out in the context of the CAPRICA synchrophasor test environment, .

Academic and industry partners in FP7 SPARKS, which focuses on smart grid security, will benefit from the threat analysis carried out by ADAMA and will also provide input in terms of data and knowledge about real ICS environments. The intended results from will complement and the outcomes of SPARKS, and the ability to disseminate the findings of ADAMA via the established dissemination channels of SPARKS, for example through regular workshops. The effect will be to leverage greater dissemination and to provide impact across Europe-wide ICS stakeholders, in terms of shared expertise in state-of-the art attacks and threat models, in particular for electrical distribution operators.

The research outcomes are also expected to contribute towards commercialisation and industrial engagement opportunities undertaken at the Centre for Secure Information Technologies (CSIT). CSIT has a strong history of commercial licensing, knowledge transfer partnerships and spin out ventures initiated from research activities.

Another important expected impact is to enhance the training, knowledge and career opportunities for the Research Assistant to be appointed in the project. Due to the nature and size of the project, it is expected that the RA may be a recent PhD graduate, thus the expected impact will be to provide an excellent career starting opportunity in this important field of research.
Description The project envisaged three key components to study multi-stage cyber attacks against ICS and propose detection methods: 1) Threat Modelling, 2) Derivation of Metrics and Cyber-Sensor Requirements, 3) Test-bed Implementation and Demonstration. A number of new threat modelling approaches have been investigated based on semantics and ontological approaches that aim to map normal models of communications behaviour in ICS networks. These have been successfully demonstrated in the context of Modbus communications [1]. A threat analysis of BlackEnergy malware has also been published to help understand how this could impact emerging smart grid networks [2]. Finally in terms of modelling, an effective but user-friendly approach to modelling threats has been proposed adapting the STRIDE approach, which normally is applied to software, and instead applying it to ICS systems. This STRIDE approach can help ICS operators in a very practical way to identify weaknesses in system security [3]. In terms of the second aspect of the project, metrics have been identifies to help quantifiably measure the security and resilience of an ICS. A set of metrics that focus on cyber-physical aspects of smart grids has been proposed [4, 5] that support better understanding of how resilient a modelled portion of the electric grid may be in the face of ongoing, changing cyber attacks. Additionally a set of cyber metrics have been proposed that assist in the monitoring of the operational and security status of SCADA network protocols widely used in electric grids. These metrics go beyond previously published work that only focuses on standard IT network information and ignores SCADA parameters, thus enabling better monitoring of system interference [6]. Finally, in the third component of the project, a sophisticated evidential network model has been demonstrated that can take sensor information from intrusion detection systems, firewalls, etc, and infer the security status of the system, i.e. predict the likelihood that abnormal sensor readings imply a cyber attack is taking place [7]. Further such publications are anticipated as the project draws to a conclusion in 2018.

[1] Ontology-based approach for malicious behaviour detection in synchrophasor networks
[2] Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid
[3] STRIDE-based threat modeling for cyber-physical systems
[4] A cyber-physical resilience metric for smart grids
[5] Towards a Resilience Metric Framework for Cyber-Physical Systems
[6] Using Application Layer Metrics to Detect Advanced SCADA Attacks
[7] Evidential Network Modeling for Cyber-Physical System State Inference
Exploitation Route It is anticipated that industry partners (Airbus, TES Group, and others) will be able to use the published information to better understand multi-stage attacks against ICS and provide better security for affected infrastructure. It is also anticipated that future knowledge transfer activities will be undertaken to ensure adoption of the findings of the project by partners.
Sectors Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Electronics,Energy,Manufacturing, including Industrial Biotechology,Security and Diplomacy,Transport

Description New collaborative undertakings with research partners in industry has enabled the identification of several cyber vulnerabilities in ICS routing equipment and point to point communications that may facilitate multi-stage attacks against real-world ICS infrastructure. Working with industry partners and equipment vendors we have established mitigation measures to assist in reducing the risk associated wit the identified vulnerabilities. This has had a real world impact in reducing the cyber risk profile of ICS infrastructure presently in use in the UK and internationally.
First Year Of Impact 2017
Sector Agriculture, Food and Drink,Digital/Communication/Information Technologies (including Software),Energy,Environment,Security and Diplomacy
Impact Types Societal

Description ERIGRID board
Geographic Reach Europe 
Policy Influence Type Membership of a guideline committee
Description Master's materials and projects
Geographic Reach Multiple continents/international 
Policy Influence Type Influenced training of practitioners or researchers
Impact Technical outcomes from the project have been integrated into the module content of a master's module in network security that I deliver, including practical labs exploring network intrusion detection. This benefits the master's students in that they are able to work with the most up to date information and research tools available. Experiments necessary for the project focused on PLCs have also been used as the basis for two master's research projects, ensuring deep technical knowledge of the area is being disseminated to vital future stakeholders in the cyber security sector.
Description TES Group - Water SCADA Security 
Organisation TES Group Ltd
PI Contribution Due to the research being undertaken to investigate multi-stage cyber attacks against ICS infrastructure, my team has started a collaboration with TES Group, a company that integrates water infrastructure for a number of UK and international utilities. Together with TES we have investigated vulnerabilities in communications devices and PLC related technology that is widely used in the water industry. For example, we revealed a vulnerability in wireless network communication devices that are used across the world, that may be exploited as part of a multi-stage attack. As a result TES has worked with the product vendor and end users to mitigate the threat and develop a patch. My team has also recently began investigating novel cloud-based SCADA security monitoring approaches with TES, aimed at their customer base.
Collaborator Contribution Following their initial interest in our research TES has donated water related SCADA, networking, and PLC equipment worth approximately £12,000 to assist our research investigating how cyber attacks can effect equipment and systems that are used in real industrial environments. They have also contributed to multiple workshops to discuss practical cyber security issues in water SCADA systems and facilitated on-site visits, and visits to their equipment suppliers.
Impact Knowledge sharing workshops have provided essential inputs allowng us to publish several papers, including: DOI 10.5220/0006656204180425 and DOI 10.1109/ISGTEurope.2017.8260283 . Furthermore collaborative work led to the discover of a cyber vulnerability in a widely used commercial communications device that will be publicly announced as CVE-2017-11616. This work has impact worldwide, ensuring the vulnerability cannot be exploited by hackers. As this collaboration is still ongoing, and indeed gathering momentum, future outcomes are likely to involve direct collaboration facilitated through a formally funded project.
Start Year 2017
Title IEC 60870-5-104 Testbed Framework 
Description A scalable framework for automatically deploying locally (or remotely) a number of virtual machines which replicate a Process Control Network (PCN). This includes multiple virtual hosts emulating sensors and actuators, with a Human Machine Interface (HMI) to interface with the hosts (Fully standards compliment implementation of IEC 60870-5-104). With future support for other protocols such as Modbus TCP and IEC 61850. It contains a collection of automation scripts which builds and deploys a variable number of virtual machines, pre-configured to act as either an Remote Terminal Unit (RTU) or HMI. This allows researchers to build a testbed which can be configured to replicate real-world deployments. The framework is supported by open source software and is interoperable with all open standards and traditional systems. It is released under GPLv3. 
Type Of Technology Webtool/Application 
Year Produced 2018 
Open Source License? Yes  
Impact The software is only recently released, but the intended impact is to assist future researchers test cyber security solutions for SCADA networks that use the IEC104 protocol, as there is a lack of common test data to compare and enable testing of solutions. The published framework, therefore comprises a flexible platform that can be used for the following purposes: • Packet Generation: When replicating a real-world deployment it is possible to capture packets from many points, unlike a real-world site which is much more limited. • Agent Benchmarking: It is possible to monitor the use of agent based software without causing disruption to a real site. Since the host machines are based on GNU/Linux many agent based monitoring software can be deployed. • Attack Simulation: Developing and testing ICS targeted attacks can be performed on the hosts and network, whilst analysing the consequence and getting full packet capture analysis, without causing any damage. • Extending Limited Hardware: Combining this framework with industrial hardware such a Programmable Logic Controllers (PLCs) can be easily achieved by changing the configuration. This allows for large complex deployments combining multiple protocols and devices to be created and analysed. 
Description ICS conference and workshops at QUB 
Form Of Engagement Activity Participation in an open day or visit at my research institution
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Over four days in August 2016 two workshops and a conference were held at QUB, locally organised and coordinated by Dr Kieran McLaughlin, all focused on ICS cyber security issues. Over the course of the four days approximately 80-90 different people were in attendance from industry and academia to discuss the latest developments in ICS security. At the core of the events was the annual ICS-CSR conference, with technical paper presentations and a formal dinner hosted by Belfast City Hall, where an address was made by the Lord Mayor of Belfast with the Chief Executive and other public figures in attendance. Alongside the conference were two days of workshops, one delivered by external invited guests from industry (Airbus, Limes Security, and others), while the second day of workshops was lead and delivered by QUB. This workshop was predominantly focussed on industry guests, from electricity, water, utilities, etc. and gave practical demonstrations of complex multi-stage cyber attacks in an electric system. This led to a round of discussions and the building of new connections and collaborative relationships.
Year(s) Of Engagement Activity 2016
Description Industry Talk (TES Group) 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact This workshop was intended as a forum for debate and information sharing regarding current concerns about cyber security threats against water treatment plants in the UK, and to discuss technologies and approaches that should be adopted to mitigate such threats. The event was by invitation only and was organised by TES Group, a leader in design and manufacturing of water treatment, switchgear, and SCADA systems throughout the UK. Attendees were primarily end users such as utilities.
Year(s) Of Engagement Activity 2016
Description Prince Charles and media visit 
Form Of Engagement Activity Participation in an open day or visit at my research institution
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Media (as a channel to the public)
Results and Impact A laboratory testbed build to simulate an industrial control system as part of the ADAMA project played a prominent role in the visit of HRH Prince Charles to our facilities in 2016. During this visit Prince Charles, the Secretary of State for Northern Ireland, and accompanying TV and press, were told about the work going on in the project with regards to security for water and electricity systems. This later appeared in a number of broadcasts, and is noted in a BBC report from the time.
Year(s) Of Engagement Activity 2016
Description Security Advisory Board (ERIGRID H2020) 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact The expertise being developed as a result of the ADAMA project, alongside other complimentary EPSRC and EU projects, resulted in an invitation to join the Security Advisory Board of the H2020 EU project ERIGrid (European Research Infrastructure supporting Smart Grid Systems Technology Development, Validation and Roll Out). This role is to provide independent advice with regard to the security implications of work being carried out int he ERIGRID project and to review all project decisions and outputs where security is a factor.
Year(s) Of Engagement Activity 2016,2017