Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard. / Baiocco, Alessio; Wolthusen, Stephen.

Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference. IEEE Press, 2018. p. 1-6.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Published

Standard

Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard. / Baiocco, Alessio; Wolthusen, Stephen.

Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference. IEEE Press, 2018. p. 1-6.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Baiocco, A & Wolthusen, S 2018, Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard. in Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference. IEEE Press, pp. 1-6. https://doi.org/10.1109/ISGTEurope.2018.8571604

APA

Baiocco, A., & Wolthusen, S. (2018). Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard. In Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference (pp. 1-6). IEEE Press. https://doi.org/10.1109/ISGTEurope.2018.8571604

Vancouver

Baiocco A, Wolthusen S. Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard. In Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference. IEEE Press. 2018. p. 1-6 https://doi.org/10.1109/ISGTEurope.2018.8571604

Author

Baiocco, Alessio ; Wolthusen, Stephen. / Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard. Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference. IEEE Press, 2018. pp. 1-6

BibTeX

@inproceedings{902ca8f856e048f7958c360bfb1d8997,
title = "Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard",
abstract = "Control systems rely on correct causal ordering and typically also on exact times and time relationships between events. For non-trivial systems, this implies synchronisation between distributed components, potentially from sensors and actuators to SCADA hierarchies. Whilst this can be accomplished by point-to-point synchronisation against a common reference such as GNSS (global navigation satellite) signals, common practice and codification in the ISO/IEC 60870-5-104 protocol widely used in the power control domain calls for the Network Time Protocol (NTP). In this paper we therefore describe attack patterns allowing the undetected partial re-play of legitimate messages and injection of messages even in the presence of ISO/IEC 62351 protective measures in a multi-staged attack targeting time synchronisation protocols and specifically the NTP protocol, and resulting in a de-synchronisation between a PLC/RTU and higher-level SCADA components. We demonstrate the feasibility of such attacks in a co-emulation environment.",
author = "Alessio Baiocco and Stephen Wolthusen",
year = "2018",
doi = "10.1109/ISGTEurope.2018.8571604",
language = "English",
pages = "1--6",
booktitle = "Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference",
publisher = "IEEE Press",

}

RIS

TY - GEN

T1 - Indirect Synchronisation Vulnerabilities in the IEC 60870-5-104 Standard

AU - Baiocco, Alessio

AU - Wolthusen, Stephen

PY - 2018

Y1 - 2018

N2 - Control systems rely on correct causal ordering and typically also on exact times and time relationships between events. For non-trivial systems, this implies synchronisation between distributed components, potentially from sensors and actuators to SCADA hierarchies. Whilst this can be accomplished by point-to-point synchronisation against a common reference such as GNSS (global navigation satellite) signals, common practice and codification in the ISO/IEC 60870-5-104 protocol widely used in the power control domain calls for the Network Time Protocol (NTP). In this paper we therefore describe attack patterns allowing the undetected partial re-play of legitimate messages and injection of messages even in the presence of ISO/IEC 62351 protective measures in a multi-staged attack targeting time synchronisation protocols and specifically the NTP protocol, and resulting in a de-synchronisation between a PLC/RTU and higher-level SCADA components. We demonstrate the feasibility of such attacks in a co-emulation environment.

AB - Control systems rely on correct causal ordering and typically also on exact times and time relationships between events. For non-trivial systems, this implies synchronisation between distributed components, potentially from sensors and actuators to SCADA hierarchies. Whilst this can be accomplished by point-to-point synchronisation against a common reference such as GNSS (global navigation satellite) signals, common practice and codification in the ISO/IEC 60870-5-104 protocol widely used in the power control domain calls for the Network Time Protocol (NTP). In this paper we therefore describe attack patterns allowing the undetected partial re-play of legitimate messages and injection of messages even in the presence of ISO/IEC 62351 protective measures in a multi-staged attack targeting time synchronisation protocols and specifically the NTP protocol, and resulting in a de-synchronisation between a PLC/RTU and higher-level SCADA components. We demonstrate the feasibility of such attacks in a co-emulation environment.

U2 - 10.1109/ISGTEurope.2018.8571604

DO - 10.1109/ISGTEurope.2018.8571604

M3 - Conference contribution

SP - 1

EP - 6

BT - Proceedings of the 2018 IEEE PES Innovative Smart Grid Technologies Conference

PB - IEEE Press

ER -