A timing-based covert channel for SCADA networks

2017 International Conference on Cyber Conflict (CyCon U.S.) Pub Date : 2017-11-01 DOI:10.1109/CYCONUS.2017.8167507

A. Lemay, S. Knight

{"title":"A timing-based covert channel for SCADA networks","authors":"A. Lemay, S. Knight","doi":"10.1109/CYCONUS.2017.8167507","DOIUrl":null,"url":null,"abstract":"Industrial Control Systems (ICS) networks are an increasingly attractive for attackers. The case of 2015 Ukraine cyber attack where hackers abused the ICS system to create a blackout is a good illustration of this interest. However, to achieve physical effects, it is necessary for attackers to embed themselves deep within the target network. So, attackers must protect this investment by using covert techniques to avoid detection by defenders. This paper explores the problem of highly covert long-lived command and control channels to gain insight into probable evolution paths for attackers in response to increasing defensive capabilities. In particular, it presents a timing-based covert channel for the Modbus using interference. An implementation of the channel using network man-in-the-middle to modulate timing is built as a proof-of-concept of the approach. A performance analysis of the implementation shows that the implementation performs as low bandwidth, but highly covert command and control channel. Furthermore, an analysis of packet captures from a real production network show that the approach would be likely to work in a production environment.","PeriodicalId":259012,"journal":{"name":"2017 International Conference on Cyber Conflict (CyCon U.S.)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference on Cyber Conflict (CyCon U.S.)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CYCONUS.2017.8167507","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Industrial Control Systems (ICS) networks are an increasingly attractive for attackers. The case of 2015 Ukraine cyber attack where hackers abused the ICS system to create a blackout is a good illustration of this interest. However, to achieve physical effects, it is necessary for attackers to embed themselves deep within the target network. So, attackers must protect this investment by using covert techniques to avoid detection by defenders. This paper explores the problem of highly covert long-lived command and control channels to gain insight into probable evolution paths for attackers in response to increasing defensive capabilities. In particular, it presents a timing-based covert channel for the Modbus using interference. An implementation of the channel using network man-in-the-middle to modulate timing is built as a proof-of-concept of the approach. A performance analysis of the implementation shows that the implementation performs as low bandwidth, but highly covert command and control channel. Furthermore, an analysis of packet captures from a real production network show that the approach would be likely to work in a production environment.

查看原文本刊更多论文

基于时序的SCADA网络隐蔽信道

工业控制系统(ICS)网络对攻击者的吸引力越来越大。2015年乌克兰网络攻击事件就是一个很好的例子，黑客利用ICS系统造成了停电。然而，为了达到物理效果，攻击者必须将自己嵌入目标网络的深处。因此，攻击者必须通过使用隐蔽技术来保护这些投资，以避免被防御者发现。本文探讨了高度隐蔽的长寿命命令和控制通道的问题，以深入了解攻击者应对日益增强的防御能力的可能进化路径。特别地，提出了一种利用干扰的基于时序的Modbus隐蔽信道。建立了一个使用网络中间人调制时序的信道实现，作为该方法的概念验证。对该实现的性能分析表明，该实现具有低带宽，但高度隐蔽的命令和控制通道。此外，对来自真实生产网络的数据包捕获的分析表明，该方法可能在生产环境中工作。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 International Conference on Cyber Conflict (CyCon U.S.)

自引率

0.00%

发文量