Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard. / Wolthusen, Stephen; Baiocco, Alessio.
Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference. IEEE Press, 2018. p. 1.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
Forthcoming
Abstract
Control systems rely on correct causal ordering and
typically also on exact times and time relationships between
events. For non-trivial systems, this implies synchronisation
between distributed components, potentially from sensors and
actuators to SCADA hierarchies. Whilst this can be accomplished
by point-to-point synchronisation against a common reference
such as GNSS (global navigation satellite) signals, common
practice and codification in the ISO/IEC 60870-5-104 protocol
widely used in the power control domain calls for the Network
Time Protocol (NTP).
In this paper we therefore describe attack patterns allowing the
undetected partial re-play of legitimate messages and injection
of messages even in the presence of ISO/IEC 62351 protective
measures in a multi-staged attack targeting time synchronisation
protocols and specifically the NTP protocol, and resulting in a
de-synchronisation between a PLC/RTU and higher-level SCADA
components. We demonstrate the feasibility of such attacks in a
co-emulation environment.
typically also on exact times and time relationships between
events. For non-trivial systems, this implies synchronisation
between distributed components, potentially from sensors and
actuators to SCADA hierarchies. Whilst this can be accomplished
by point-to-point synchronisation against a common reference
such as GNSS (global navigation satellite) signals, common
practice and codification in the ISO/IEC 60870-5-104 protocol
widely used in the power control domain calls for the Network
Time Protocol (NTP).
In this paper we therefore describe attack patterns allowing the
undetected partial re-play of legitimate messages and injection
of messages even in the presence of ISO/IEC 62351 protective
measures in a multi-staged attack targeting time synchronisation
protocols and specifically the NTP protocol, and resulting in a
de-synchronisation between a PLC/RTU and higher-level SCADA
components. We demonstrate the feasibility of such attacks in a
co-emulation environment.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference |
| Publisher | IEEE Press |
| Pages | 1 |
| Number of pages | 6 |
| State | Accepted/In press - 21 May 2018 |
ID: 30300947