Talk at Defcon Toronto
Notes
- Practical attack on power systems
- Cyber physical system:
- Attacks that happen on a cyber size, result in a physical consequence (Stuxnet is the most famous one)
- Agenda:
- American power systems more old than chinese ones
- People that operate power systems are not tech savvy people
- CPPS-SEC Lab:
- Key terms:
- Baseline operation:
- Power system operator will see two terminals:
- Power flow terminal - energy flow calculated with non-linear equations - calculate active and reactive power based off demand and response
- Control panel system terminal - lots of control systems
- Power system operator will see two terminals:
- Calculate baselines power draw
- Calculate the baselines for transmission lines
- Operator can see two parameters:
- Voltage amplitude and angle
- View of physical characteristics (Uses MQTT to monitor edge devices and modbus for legacy control)
- First attack: MQTT take-over - this attack involves attacker attacking edge devices, commands MQTT protocol to shut down generation at the origin
- MQTT Broker can provide anonymous access
- Old systems do not have authentication
- Attacker will attack the broker, shut down generation points in the grid
- DER Setpoint manipulation
- Physical response of MQTT takeover - the data bus throughput decreased
- Operator will not see anything on their side - they can’t see why this is happening, because of lack of monitoring
- This MQTT attack can happen in distributed energy systems where the MQTT Broker is required
- Second attack: Modbus TCP command injection
- Attacker changes the three registers of the PLC
- Attacking the demand endpoint (load control system endpoint)
- FC3 reads for register enumeration
- FC6 issues command injection - write to 3 registers
- This attack specifically for increasing load and demand
- Load increase causes a voltage drop
- Operator will not see anything
- A network IDS will detect everything
- Third attack: False Data Injection Attack - similar to what happened with Stuxnet
- We blind the system
- Everytime the energy is being calculated, we attack the system at its Sensor - the system calculation operator does not compute what is happening as it doesnt get any real information
- This causes failure of control system
- Stuxnet Echo - injected with USB
- We can execute via PMU or other sensors
- System is blind to this
- Power flow calculation for state estimator is the brain operation, if that is messed up, ripple effect for rest of the system
- ICS detection rules blind to FDIA
- HMI replay hides this data
- Full chain attack:
- DER + FDIA + Measurement Replay
- First find MQTT protocol from edge devices
- Second, attacker attacks control systems by Modbus TCP register attacks
- Third, attacker injects sensors with FDIA
- Leads to full collapse of the system
- If operator can actually see things, they can cut off load, but FDIA provides false data so the operator cannot see things
- First attack can actually be monitored by logs on network
- Conclusion is that most protocols used in ICS systems are still based off trust, many attack surfaces still open
- Detection requires cross-layer correlation
- Many ML-based FDIA detection tools being created
- Power system in Canada, not many DCS, not many IoT - smaller attack surface
- DER - like OPG, legacy systems
- HydroOne does not want to use more technology - makes them defenseless
- China already has double the energy they need usually for data centers
- Blockchain for distributed systems for logging (OCPP) - charging systems
- IoT used everywhere in china is a lot better - far more data, far more control
- ECC conference in july