On the Detection of Replay Attacks in Industrial Automation Networks Operated with Profinet IO

Steffen Pfrang, David Meier

2017

Abstract

Modern industrial facilities consist of controllers, actuators and sensors that are connected via traditional IT equipment. The ongoing integration of these systems into the communication network yields to new threats and attack possibilities. In industrial networks, often distinct communication protocols like Profinet IO (PNIO) are used. These protocols are often not supported by typical network security tools. In this paper, we present two attack techniques that allow to take over the control of a PNIO device, enabling an attacker to replay formerly recorded traffic. We model attack detection rules and propose an intrusion detection system (IDS) for industrial networks which is capable of detecting those replay attacks by correlating alerts from traditional IT IDS with specific PNIO alarms. Thereafter, we evaluate our IDS in a physical demonstrator and compare it with another IDS dedicated to securing PNIO networks.

References

  1. A°kerberg, J. and Björkman, M. (2009a). Exploring network security in profisafe. In International Conference on Computer Safety, Reliability, and Security, pages 67- 80. Springer.
  2. A°kerberg, J. and Bj örkman, M. (2009b). Exploring security in profinet io. In Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference - Volume 01, COMPSAC 7809, pages 406-412, Washington, DC, USA. IEEE Computer Society.
  3. A°kerberg, J. and Björkman, M. (2009c). Introducing security modules in profinet io. In 2009 IEEE Conference on Emerging Technologies & Factory Automation, pages 1-8. IEEE.
  4. Baud, M. and Felser, M. (2006). Profinet io-device emulator based on the man-in-the-middle attack. In ETFA, pages 437-440.
  5. Biondi, P. (2010). Scapy documentation. http://www.secdev.org/projects/scapy/doc/. [Online; accessed 08-December-2016].
  6. Claise, B. (2015). Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information. RFC 5101.
  7. Ferrari, P., Flammini, A., and Vitturi, S. (2006). Performance analysis of profinet networks. Computer standards & interfaces, 28(4):369-385.
  8. Fullmer, M. and Romig, S. (2000). The osu flowtools package and cisco netoflw logs. In Proceedings of the 2000 USENIX LISA Conference.
  9. Haag, P. (2005). Watch your flows with nfsen and nfdump. In 50th RIPE Meeting.
  10. HMS Industrial Networks (2016a). Feldbusse heute. http://www.feldbusse.de/trends/statusfeldbusse.shtml. [Online; accessed 08-December2016].
  11. HMS Industrial Networks (2016b). Variantenvielfalt bei Kommunikationssystemen. http://www.feldbusse.de/Trends/trends.shtml. [Online; accessed 08-December-2016].
  12. IEC 61158-6-10 (2007). Industrial communication networks - Fieldbus specifications - Part 6-10: Application layer protocol specification - Type 10 elements. Standard, International Electrotechnical Commission, Geneva, CH.
  13. McHugh, J. (2004). Sets, bags, and rock and roll. In European Symposium on Research in Computer Security, pages 407-422. Springer.
  14. McLaughlin, S., Konstantinou, C., Wang, X., Davi, L., Sadeghi, A.-R., Maniatakos, M., and Karri, R. (2016). The Cybersecurity Landscape in Industrial Control Systems. Proceedings of the IEEE, 104(5):1039- 1057.
  15. Mo, Y. and Sinopoli, B. (2009). Secure control against replay attacks. In Communication, Control, and Computing, 2009. Allerton 2009. 47th Annual Allerton Conference on, pages 911-918. IEEE.
  16. Paul, A., Schuster, F., and Knig, H. (2013). Towards the Protection of Industrial Control Systems: Conclusions of a Vulnerability Analysis of Profinet IO. In Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA'13, pages 160-176, Berlin, Heidelberg. Springer-Verlag.
  17. Popp, M. (2014). Industrial Communication with PROFINET. PROFIBUS Nutzerorganisation e.V., Karlsruhe.
  18. Roesch, M. et al. (1999). Snort: Lightweight intrusion detection for networks. In LISA, volume 99, pages 229- 238.
Download


Paper Citation


in Harvard Style

Pfrang S. and Meier D. (2017). On the Detection of Replay Attacks in Industrial Automation Networks Operated with Profinet IO . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017) ISBN 978-989-758-209-7, pages 683-693. DOI: 10.5220/0006288106830693


in Bibtex Style

@conference{forse17,
author={Steffen Pfrang and David Meier},
title={On the Detection of Replay Attacks in Industrial Automation Networks Operated with Profinet IO},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)},
year={2017},
pages={683-693},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006288106830693},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)
TI - On the Detection of Replay Attacks in Industrial Automation Networks Operated with Profinet IO
SN - 978-989-758-209-7
AU - Pfrang S.
AU - Meier D.
PY - 2017
SP - 683
EP - 693
DO - 10.5220/0006288106830693