从近几年网络安全演练情况看,工业控制系统带病运行情况严重,极易受到攻击,可能导致重大影响。长期以来,敌对势力持续针对工业控制系统发起攻击,以预埋隐藏“后门”、植入硬件木马、跨网攻击等手段为主,进而对未联网的计算机和关键设备进行监控和发动攻击,轻易不暴露攻击目标—工业控制系统,以确保关键时刻对系统攻击的突然性、隐蔽性。
隐蔽通信技术往往应用于逃避网络审查或者保护数据机密性用途,其利用网络中不被正常监测或分析的部分来传输数据。国内外关于隐蔽通信技术的研究已取得较多成果,主要集中在隐蔽通信原理分析和隐蔽通信检测方法等方面。然而,针对工控系统系统隐蔽通信风险的研究还处于起步阶段,基于工控通信协议的隐蔽通信技术和检测方法的研究尚未形成系统的理论和实践成果。
本文从军工企业工业控制系统安全防护现状出发,分析工业控制系统存在隐蔽通信的安全风险,并提出未来重点研究的方向。
一、安全防护风险
2010 年的震网病毒事件将工业控制系统的安全提升至前所未有的高度,我国也印发了多个工业控制系统信息安全相关政策文件与标准。在国家政策和行业指引下,我国工业控制系统安全防护能力取得了一定的进步,但仍面临着众多挑战。 数字化转型网(www.szhzxw.cn)
1. 安全防护良莠不齐
2011 年,工业和信息化部发布了《关于加强工业控制系统信息安全管理的通知》。此后,各类工业控制系统安全相关法规、政策指导性文件及行业标准相继发布。2022 年,国家标准化管理委员会和全国信息安全标准化技术委员会分别发布了《信息安全技术 重要工业控制系统网络安全防护导则》 和《信息安全技术 工业控制系统安全防护技术要求和测试评价方法》。各行业根据自身工业控制系统在设计、建设、运行等环节的实际情况,也相继出台行业工业控制系统政策和标准,指导工业控制系统的建设、运行和维护。但是,每个行业对工业控制系统安全防护的认识不同,导致各行业在安全防护的政策、标准体系制定与解读中存在较大的差异,在安全防护的能力上也良莠不齐。
2. 安全设计存在缺陷
设备制造商在设计、生产工业控制设备(以下简称“工控设备”)时重点关注设备的稳定性、可靠性及功能性等,较少考虑设备的安全防护能力。使用单位人员对工控设备的技术原理不了解、核心技术不掌握,也很难获知工控设备是否存在“后门”“漏洞”等威胁。同时,工业控制设备根据客户的具体需求进行定制开发,与生产过程高度匹配,使工业控制设备存在非标准性与专用性,无法统一加装防病毒等通用安全防护产品,导致其缺乏对恶意代码的有效防御手段。由于工业软件产品的开发无法避免使用开源软件组件,近年来由开源软件漏洞引发的大规模软件供应链安全事件持续发生,甚至出现了有组织恶意修改代码的“投毒”事件。 数字化转型网(www.szhzxw.cn)
3. 进口设备安全隐患大
部分单位的工控设备主要依赖进口,进口工控设备通常留有可供远程协助运维的专用数据接口。使用单位在采购和使用进口设备及软件时,往往未对这些专用数据接口进行必要的安全检测,无法有效排查可能潜藏的隐蔽通信“后门”,存在数据泄露的风险。例如,思科路由器、英特尔奔腾 3 处理器芯片等设备或器件已被证实存在安全漏洞和“后门”。
4. 安全防护产品难以适配
部分单位试图通过在工业控制系统中部署防病毒、行为审计等传统安全产品来提高工业控制系统安全防护水平,但是这些安全产品往往并不适合工业控制系统的运行环境,存在误杀、兼容性以及病毒库不能实时更新等问题。新型工业控制系统安全产品缺乏统一的标准和规范,导致许多安全仅仅是在现有网络安全产品的基础上进行简单地改造和调整,不能有效解决工业控制系统专用通信接口、专用通信协议安全防护等实际安全问题。工业控制系统的信息安全建设还存在着重视网络层、忽视设备层的现象,缺乏针对工控设备本身的技术防护措施。除此之外,工业控制系统的建设使用周期较长,大量老旧工业控制系统脆弱,工控设备的操作系统和固件往往存在版本老旧、漏洞多、补丁难更新等“带病运行”情况,老旧工控设备的安全改造仍是一大难题。 数字化转型网(www.szhzxw.cn)
5. 专业人才力量缺乏
工业控制系统的运行维护缺少足够的专业化人才队伍,部分单位的工业控制系统运维人员由信息系统运维人员兼任,且仅有少部分人员经过系统的工业控制系统安全培训。熟悉了解工业控制系统及安全防护的复合型人才数量远远无法满足当前形势下的工业控制系统安全防护需求。
二、隐蔽通信风险分析
工业控制系统广泛应用于石油化工、电力能源、国防军工等领域,是国家关键信息基础设施的重要组成部分,已成为各种恶意势力攻击破坏的重要目标。工业控制系统具有实时性强、协议私有化程度高等特点,在设计、生产时重点关注设备的稳定性、可靠性及功能性等,导致工业控制系统缺少安全防护的整体规划、通信存在数据明文传输、弱口令、漏洞识别和修补困难等问题。
隐蔽通信是指利用不具有传递信息功能的协议或流量来隐藏和传递数据的技术。在信息领域中使用隐蔽通信技术来避免传统防御系统的检测已经成为一种趋势。这种趋势一旦被恶意势力应用到工业控制系统,将造成巨大的经济、人员等损失。为解决当前工业控制系统隐蔽通信带来的潜在的信息泄露、恶意攻击等风险隐患,本文将对工业控制系统隐蔽通信风险进行分析。
1. 工业以太网隐蔽通信风险
工业以太网是建立在 IEEE802.3 系列标准和 TCP/IP 上的分布式实时控制通讯网络。为允许组合来自不同厂商的工业控制系统组件,工业控制系统网络中越来越多使用了 Modbus、S7Comm、OPC 等标准协议。标准协议通常不包含对抗隐蔽通信方面的安全机制,因此攻击者通过在工控设备上安装预先设计好的模块,可以很容易地修改通信内容,或使用信息隐藏技术嵌入额外的消息。
Modbus 协议是一种广泛应用于工控系统中的串行通信协议。它没有定义任何认证、加密或授权机制,因此容易被攻击者利用。攻击者可以通过修改 Modbus 报文中的功能码、数据域、异常码等字段,或者在报文中插入额外的数据,来实现隐蔽通信。例如,利用 Modbus 协议中异常码字段进行隐蔽通信的方法,可以在不影响正常通信的情况下,传输任意长度的信息。
S7Comm协议是一种用于西门子S7系列可编程逻辑控制器PLC(Programmable Logic Controller)之间或与 PC 站之间通信的协议。它也没有提供有效的安全保护机制,因此也容易被攻击者利用。攻击者可以通过修改S7 报文中的参数、数据块、变量等字段,或者在报文中插入额外的数据,来实现隐蔽通信。例如,利用 S7 协议中参数字段进行隐蔽通信的方法,可以在不影响正常通信的情况下,传输任意长度的信息。
OPC 协议是一种用于工控系统中不同设备之间交换数据和命令的标准化协议。它基于TCP/IP 协议和 COM/DCOM 技术实现。OPC协议也存在一些安全问题,如缺乏认证、加密或完整性检查等,因此也容易被攻击者利用。攻击者可以通过修改 OPC 报文中的标签名、值、时间戳等字段,或者在报文中插入额外的数据,来实现隐蔽通信。例如,利用 OPC 协议中标签名字段进行隐蔽通信的方法,可以在不影响正常通信的情况下,传输任意长度的信息。由于工业以太网的隐蔽通信信道完全符合正常协议的特点和要求。因此,现成的入侵检测系统(IDS)将很难检测到已更改的消息。
2. USB 伪装隐蔽通信风险
USB 伪装隐蔽通信是一种常见的隐蔽通信技术。它是指利用 USB 设备的特性,伪装成其他类型的设备,如键盘、鼠标、摄像头等,从而绕过系统的安全检测,实现数据的隐蔽传输。
例如,一个 USB 设备可以伪装成一个键盘,通过模拟按键输入的方式,将加密后的数据发送给目标设备;或者一个 USB 设备可以伪装成一个摄像头,通过模拟视频流的方式,将数据嵌入到图像中发送给目标设备。 数字化转型网(www.szhzxw.cn)
USB 伪装隐蔽通信具有难以发现、难以阻断、难以分析等特点。USB 设备可以伪装成其他常见的设备,人们难以通过外观或系统识别出其真实性质。USB 设备可以直接连接到目标设备,网络层面的监控措施或防火墙难以有效阻断其通信行为。此外,USB 设备可以使用各种加密或隐写技术来隐藏数据,无法仅凭数据包类型分析或内容检测来分析其通信内容。
USB 伪装隐蔽通信给使用者带来了信息泄露、网络攻击、物理破坏等较大的风险。攻击者可以利用 USB 伪装技术,从目标设备中窃取敏感信息,如密码、文件等,并将其发送给远程服务器或其他设备。攻击者还可以利用 USB 伪装技术,向目标设备中植入恶意代码,如木马、后门、勒索软件等,并对其进行远程控制或破坏。此外,攻击者可以利用 USB 伪装技术,向目标设备中发送恶意指令,如格式化存储、删除文件、关闭系统等,并造成物理损失或数据丢失。 数字化转型网(www.szhzxw.cn)
3. 电磁隐蔽通信风险
电磁隐蔽通信技术主要依靠无线空口的方式传递信息,传输过程不可避免地存在电磁泄漏的风险,在外界强电磁干扰、恶意加装电磁木马等手段攻击下,可突破传统物理隔离和网络传输的限制,造成工业控制系统瘫痪乃至烧毁核心生产设备。工业控制系统中存在的电磁隐蔽通信风险主要包括以下三种。
(1)在设备中植入或暗藏无线发射装置,该装置集成度高且不易发现,具备发射 WiFi信号和蓝牙信号的功能,时机成熟时向外传递重要信息,例如,一旦在与工业控制系统设备连接的办公自动化设备恶意加装无线收发装置,可向外泄露重要信息。再如,曾曝光的美国国家安全局在 DROPMIRE 等行动中使用的 RAGEMASTER、PHOTOANGLO、Cottonmouth 系列等的窃密工具均采用暗藏无线发射装置的方式窃取重要工业控制系统核心数据。
(2)攻击者通过接收设备的电子元器件、网络传输连接线、计算机终端等在工作状态下发射的电磁泄漏信号,经过解调还原电磁信号内容,窃取工业控制系统的重要数据。
(3)在关键工业控制设备出厂时预置功能(接口)或安装恶意电磁木马软件,通过接收电磁木马发射的无线信号,激活预置功能,不仅可窃取工业控制系统的关键核心信息,还可以破坏设备功能,甚至会造成整个工业控制系统瘫痪。
4. 电力线隐蔽通信风险
电力线通信技术是一种利用电力线进行数据传输的技术,实现物联网设备的连接和控制,给工业控制系统的连接带来了便利性,但也隐藏着隐蔽通信风险。攻击者可利用电力线通信技术的特性或漏洞,在工控设备上进行非法的信息传输或控制,如电力线噪声干扰、信号泄露、恶意注入等,从而危害工业控制系统的安全。 数字化转型网(www.szhzxw.cn)
电力线隐蔽通信方式主要有隐蔽调制、隐蔽控制等。攻击者可利用电力线通信系统中的冗余或隐藏信息,如报文头部、校验码、时间戳等传输秘密信息,从而绕过安全监测和防护。例 如,利用IEEE 1901.11 标准中的PLC-IoT报文2的保留字段或时间戳,传输隐蔽数据。
攻击者还可以利用电力线通信系统中的信号特性,如幅度、频率、相位等,对原始信号进行微小的改变,从而在不影响正常通信的情况下,传输秘密信息。例如,利用 IEEE 1901.11 标准中的 OFDM3 技术,对载波信号进行隐蔽调制;又如,利用 IEC 60870-5-104 标准中的遥测数据的最低有效位,传输隐蔽数据。
使用电力线通信的工业控制系统,由于其电力线多为公共的电力线路,任何接入电力线路的设备都有可能截获或篡改电力线通信的数据,易造成敏感数据泄露或窃听,对于涉及敏感信息或商业机密的通信来说非常危险。电力线通信内容还可能会以无线电波的方式泄露,由于电力线通信使用了高频载波信号,这些信号在电力线上会产生辐射,从而在周围激发无线电波。
未使用电力线通信的工业控制系统,其电力线也可能遭受跨网攻击或破坏。利用电力线通信的攻击者可以在不接触目标设备的情况下,通过接入同一电力线路的设备,窃取或篡改目标设备上的敏感信息,如工控系统的运行参数、控制指令、生产数据等。利用电力线通信进行攻击的攻击者可以利用电力线上的噪声和干扰来掩盖自己的信号,从而降低被发现的风险。同时,由于电力线通信的信号强度随着距离的增加而衰减,攻击者可以通过调节信号功率来控制信号的传播范围,从而避免被防护设备截获或干扰。由于电力线通信的双向性,攻击者不仅可以从目标设备上窃取数据,还可以向目标设备发送恶意数据或指令,对工业控制系统设备进行非法的操纵或干扰,从而影响或破坏工控系统的正常运行。例如,利用 IEEE 1901.11 标准中的 DTLS4 或 CoAP 协议,伪造、篡改控制指令或状态信息。
三、工作建议
新技术在工业控制系统的持续应用,工业控制系统的安全防护研究任重道远,建议工业控制系统安全防护的下一步工作重点在六个方面开展。
3. 强化政策标准制定
建议主管部门面向行业特点及发展的需求,按照国家工业控制系统安全防护有关要求,依据《信息安全技术工业控制系统安全防护技术要求和测试评价方法》标准,制定符合行业特点的工业控制系统安全防护体系,为工业控制系统安全防护的技术发展和应用深化提供指导和规范,让各行业的工业控制系统的安全防护有章可循。 数字化转型网(www.szhzxw.cn)
2. 加强政策标准宣贯
建议相关部门组织专家力量对工业控制系统安全防护的相关政策、标准进行深度解读,加强对相关政策标准的宣贯,解决相关单位对政策标准理解不到位、技术防护原理不掌握等问题,指导相关单位制定安全防护方案,提供个性化问题的解决思路,并分享值得推广的经验。
3. 加强安全防护顶层设计
建议在工业控制系统转型发展的全过程中引入安全防护专家,推进企业安全防护与工业控制系统转型同步规划、同步设计、同步建设和同步使用。加强安全防护体系顶层设计,不断健全制度体系、标准体系、技术体系、能力体系、支撑保障体系等,推动工业控制系统转型工作全面、有序发展,为全面推进工业控制系统的发展战略提供有力的安全保障。
4. 探索关键设备及工业软件检测能力
建议建立进口软硬件产品和采用进口核心部件的国产化设备安全审查机制,开展“后门”、漏洞、隐蔽通信等技术检测。逐步建立工业软件供应链安全风险分析体系,结合人工智能、知识图谱等先进技术 , 开展工业软件开源成分安全审查,降低安全漏洞和“后门”带来的网络监听、数据窃取等风险,提升工业控制系统的本质安全度。 数字化转型网(www.szhzxw.cn)
5. 推进新型安全防护技术研究
针对工业控制系统专用通信接口、专用通信协议安全防护等特殊性,从物理环境、网络、设备、应用和数据等方面研究符合工业控制系统特点的安全防护技术,形成纵深防御体系,应对不同因素导致的工业控制系统安全风险。针对大量老旧工业控制系统脆弱性问题,研究“穿马甲”式安全加固技术,解决老旧设备“带病运行”的情况,整体提升工业控制系统的安全防护能力。
6. 开展人员技能培训
企业应定期开展工业控制系统安全防护培训,重点讲述工业控制系统及安全防护的专业知识,提高工业控制系统运维人员与一线操作人员的安全风险应对能力,增强安全防护意识,为工业控制系统安全防护工作提供充足的人才保障。 数字化转型网(www.szhzxw.cn)
四、结论
本文分析了工业控制系统的安全防护风险,以及工业控制系统的隐蔽通信风险,提出了工业控制系统安全防护的工作建议,为工业控制系统的安全防护建设工作提供可参考的理论依据,推动工业控制系统安全防护能力整体提升。
翻译:
Concealed communication risk of industrial control system from the perspective of security of military enterprise
From the situation of network security exercises in recent years, the industrial control system has a serious operation condition with disease and is extremely vulnerable to attack, which may lead to major impacts. For a long time, hostile forces continue to launch attacks against industrial control systems, mainly by embedding hidden “backdoors”, implanting hardware trojans, cross-network attacks and other means, and then monitoring and launching attacks on unnetworked computers and key equipment, easily not exposing the attack target – industrial control systems, to ensure the suddenness and concealment of system attacks at critical moments.
Covert communication techniques, often used to evade network censorship or protect data confidentiality, use parts of the network that are not normally monitored or analyzed to transmit data. The research on covert communication technology at home and abroad has made many achievements, mainly focusing on the analysis of the principle of covert communication and the detection method of covert communication. However, the research on hidden communication risk of industrial control system is still in its infancy, and the research on hidden communication technology and detection method based on industrial control communication protocol has not yet formed systematic theoretical and practical results. 数字化转型网(www.szhzxw.cn)
Based on the security protection status of industrial control system of military enterprise, this paper analyzes the security risk of hidden communication in industrial control system, and puts forward the direction of future research.
First, security risks
The Stuxnet virus incident in 2010 raised the security of industrial control systems to an unprecedented height, and China has also issued a number of industrial control system information security related policy documents and standards. Under the guidance of national policies and industries, China’s industrial control system security protection capabilities have made certain progress, but there are still many challenges. 数字化转型网(www.szhzxw.cn)
1. Safety protection is mixed
In 2011, the Ministry of Industry and Information Technology issued the Notice on Strengthening the Information Security Management of Industrial Control Systems. Since then, various industrial control system safety-related regulations, policy guidance documents and industry standards have been issued. In 2022, the National Standardization Management Committee and the National Information Security Standardization Technical Committee respectively issued the “Guidelines for the Network Security Protection of Important Industrial Control Systems of Information Security Technology” and the “Technical Requirements and Test Evaluation Methods for the Security protection of Information Security Technology Industrial Control Systems”. According to the actual situation of their own industrial control system in the design, construction, operation and other links, the industry has also introduced industrial control system policies and standards to guide the construction, operation and maintenance of industrial control systems. However, each industry has a different understanding of the safety protection of industrial control systems, resulting in a large difference in the development and interpretation of safety protection policies and standard systems in various industries, and the ability to protect safety is also uneven.
2. Safety design has defects
Equipment manufacturers in the design and production of industrial control equipment (hereinafter referred to as “industrial control equipment”) focus on the stability, reliability and functionality of the equipment, less consider the safety protection ability of the equipment. The personnel of the using unit do not understand the technical principle of the industrial control equipment and do not master the core technology, and it is difficult to know whether there are threats such as “back door” and “vulnerability” of the industrial control equipment. At the same time, the industrial control equipment is customized according to the specific needs of customers, and is highly matched with the production process, so that the industrial control equipment is non-standard and specific, and it is impossible to uniformly install general security protection products such as anti-virus, resulting in the lack of effective means of defense against malicious code. As the development of industrial software products cannot avoid the use of open source software components, large-scale software supply chain security incidents caused by open source software vulnerabilities continue to occur in recent years, and even the “poisoning” event of organized malicious code modification.
3. Imported equipment has great security risks
The industrial control equipment of some units mainly relies on imports, and the imported industrial control equipment usually has a special data interface for remote assistance in operation and maintenance. When purchasing and using imported equipment and software, users often do not carry out necessary security tests on these special data interfaces, and cannot effectively investigate hidden communication “backdoors” that may be hidden, and there is a risk of data leakage. For example, Cisco routers, Intel Pentium 3 processor chips and other devices or devices have been proven to have security vulnerabilities and “backdoors.” 数字化转型网(www.szhzxw.cn)
4. Safety protection products are difficult to adapt
Some units try to improve the level of security protection of industrial control systems by deploying traditional security products such as anti-virus and behavior audit in industrial control systems, but these security products are often not suitable for the operating environment of industrial control systems, and there are problems such as accidental killing, compatibility and virus database cannot be updated in real time. New industrial control system security products lack of unified standards and specifications, resulting in many security only on the basis of existing network security products to simply transform and adjust, can not effectively solve the industrial control system dedicated communication interface, dedicated communication protocol security protection and other practical security problems. The information security construction of industrial control system still has the phenomenon of paying attention to the network layer and ignoring the equipment layer, and the lack of technical protection measures for the industrial control equipment itself. In addition, the construction and use cycle of industrial control systems is long, a large number of old industrial control systems are fragile, and the operating system and firmware of industrial control equipment often have “sick operation” situations such as old versions, many loopholes, and difficult patches to update, and the safety transformation of old industrial control equipment is still a major problem.
5. Lack of professional talent
The operation and maintenance of industrial control system lacks enough specialized personnel team, some units of industrial control system operation and maintenance personnel by information system operation and maintenance personnel concurrently, and only a small number of personnel through the system of industrial control system safety training. The number of compound talents who are familiar with industrial control system and safety protection is far from meeting the needs of industrial control system safety protection under the current situation. 数字化转型网(www.szhzxw.cn)
Second, risk analysis of covert communication
Industrial control system is widely used in petrochemical industry, power energy, national defense and other fields, is an important part of the national critical information infrastructure, has become an important target of various malicious forces to attack and destroy. The industrial control system has the characteristics of strong real-time, high degree of protocol privatization, and focuses on the stability, reliability and functionality of the equipment in the design and production, resulting in the lack of overall planning for security protection of the industrial control system, communication data plaintext transmission, weak password, vulnerability identification and repair difficulties and other problems.
Covert communication refers to the technology of hiding and transmitting data by using protocols or traffic that does not have the function of transmitting information. It has become a trend to use covert communication technology in the information field to avoid detection by traditional defense systems. Once this trend is applied to the industrial control system by malicious forces, it will cause huge economic and personnel losses. In order to solve the hidden communication risks of industrial control system, such as information leakage and malicious attack, this paper will analyze the hidden communication risks of industrial control system. 数字化转型网(www.szhzxw.cn)
1. Industrial Ethernet hidden communication risks
Industrial Ethernet is a distributed real-time control communication network based on IEEE802.3 series standards and TCP/IP. In order to allow the combination of industrial control system components from different manufacturers, more and more standard protocols such as Modbus, S7Comm, OPC are used in industrial control system networks. Standard protocols typically do not contain security mechanisms against covert communications, so attackers can easily modify communications by installing pre-designed modules on industrial devices, or embed additional messages using information hiding techniques.
Modbus protocol is a serial communication protocol widely used in industrial control system. It does not define any authentication, encryption, or authorization mechanisms, making it easy for attackers to exploit. The attacker can modify the function code, data field, and exception code in the Modbus message, or insert additional data into the message to implement covert communication. For example, the method of using the exception code field in Modbus protocol to carry out covert communication can transmit any length of information without affecting normal communication.
The S7Comm protocol is a protocol used by Siemens S7 series Programmable Logic controllers (PLCS) to communicate with each other or with PC stations. It also does not provide an effective security protection mechanism, so it is also easily exploited by attackers. An attacker can implement covert communication by modifying parameters, data blocks, variables and other fields in an S7 message, or inserting additional data into the message. For example, the method of using parameter fields in S7 protocol for covert communication can transmit information of any length without affecting normal communication.
The OPC protocol is a standardized protocol for exchanging data and commands between different devices in an industrial control system. It is based on TCP/IP protocol and COM/DCOM technology. The OPC protocol also has some security issues, such as a lack of authentication, encryption, or integrity checks, and is therefore easily exploited by attackers. An attacker can implement covert communication by modifying fields such as label name, value, and timestamp in OPC messages, or inserting additional data into the messages. For example, the method of covert communication using the signature field of OPC protocol can transmit any length of information without affecting normal communication. Because the hidden communication channel of industrial Ethernet fully conforms to the characteristics and requirements of normal protocols. As a result, off-the-shelf intrusion detection systems (IDS) will have a hard time detecting messages that have changed. 数字化转型网(www.szhzxw.cn)
2. USB camouflage conceals communication risks
USB camouflage covert communication is a common covert communication technology. It refers to the use of the characteristics of USB devices, disguised as other types of devices, such as keyboards, mice, cameras, etc., so as to bypass the security detection of the system, to achieve covert transmission of data.
For example, a USB device can masquerade as a keyboard and send encrypted data to the target device by simulating key input. Or a USB device could masquerade as a camera and send data embedded in an image to the target device by simulating a video stream.
USB camouflage covert communication is difficult to detect, block and analyze. USB devices can masquerade as other common devices, making it difficult for people to recognize their true nature by their appearance or system. The USB device can be directly connected to the target device, and the network level monitoring measures or firewalls cannot effectively block the communication behavior of the USB device. In addition, USB devices can use various encryption or steganography techniques to hide data and cannot analyze the content of their communications by packet type analysis or content detection alone. 数字化转型网(www.szhzxw.cn)
USB camouflage covert communication brings the user information leakage, network attack, physical damage and other great risks. An attacker can use USB camouflage technology to steal sensitive information from a target device, such as passwords, files, etc., and send it to a remote server or other device. Attackers can also use USB camouflage technology to implant malicious code, such as trojans, backdoors, ransomware, etc., into the target device and remotely control or destroy it. In addition, attackers can use USB camouflage technology to send malicious instructions to the target device, such as formatting storage, deleting files, shutting down the system, and causing physical damage or data loss.
3. Electromagnetic covert communication risk
Electromagnetic covert communication technology mainly relies on wireless air interface to transmit information, the transmission process inevitably has the risk of electromagnetic leakage, in the external strong electromagnetic interference, malicious installation of electromagnetic Trojan horse and other means of attack, can break through the traditional physical isolation and network transmission restrictions, resulting in industrial control system paralysis and even burn the core production equipment. The electromagnetic hidden communication risk in industrial control system mainly includes the following three kinds. 数字化转型网(www.szhzxw.cn)
(1) Implant or hide a wireless transmitter in the device, which is highly integrated and not easy to find, has the function of transmitting WiFi signals and Bluetooth signals, and transmits important information to the outside when the time is ripe, for example, once the office automation equipment connected with the industrial control system equipment is maliciously installed wireless transceiver devices, important information can be leaked to the outside. For example, the RAGEMASTER, PHOTOANGLO, Cottonmouth series of theft tools used by the National Security Agency in DROPMIRE and other operations have been exposed, and they all use the way of hiding wireless transmitters to steal the core data of important industrial control systems.
(2) By receiving the electromagnetic leakage signal emitted by the electronic components of the device, the network transmission connection line, the computer terminal, etc., in the working state, the attacker restores the electromagnetic signal content after demodulation, and steals the important data of the industrial control system. 数字化转型网(www.szhzxw.cn)
(3) In the key industrial control equipment before the factory preset function (interface) or install malicious electromagnetic Trojan software, by receiving the wireless signal transmitted by the electromagnetic Trojan, activate the preset function, not only can steal the key core information of the industrial control system, but also damage the function of the equipment, and even cause the entire industrial control system to crash.
4. Power line hidden communication risk
Power line communication technology is a technology that uses power lines for data transmission to realize the connection and control of Internet of Things devices, bringing convenience to the connection of industrial control systems, but also hiding hidden communication risks. Attackers can use the characteristics or vulnerabilities of power line communication technology to carry out illegal information transmission or control on industrial control equipment, such as power line noise interference, signal leakage, malicious injection, etc., thereby endangering the security of industrial control systems.
The main ways of power line covert communication are covert modulation and covert control. Attackers can use redundant or hidden information in the power line communication system, such as packet headers, check codes, and time stamps, to transmit secret information, thereby bypassing security monitoring and protection. For example, using the reserved fields or timestamps of PLC-IoT message 2 in the IEEE 1901.11 standard to transmit covert data. 数字化转型网(www.szhzxw.cn)
An attacker can also use the signal characteristics in the powerline communication system, such as amplitude, frequency, phase, etc., to make small changes to the original signal, so as to transmit secret information without affecting normal communication. For example, the OFDM3 technology in IEEE 1901.11 standard is used to carry out covert modulation of carrier signal. Another example is the transmission of covert data using the least significant bit of telemetry data in the IEC 60870-5-104 standard.
The industrial control system that uses power line communication, because its power lines are mostly public power lines, any equipment that accesses the power line may intercept or tamper with the data of power line communication, which is easy to cause sensitive data disclosure or eavesdrop, and is very dangerous for communications involving sensitive information or business secrets. Power line communications can also leak out in the form of radio waves, because power line communications use high-frequency carrier signals that emit radiation on the power line, which stimulates radio waves around it. 数字化转型网(www.szhzxw.cn)
Industrial control systems that do not use power line communication may also be subject to cross-network attacks or breaches. An attacker using power line communication can steal or tamper with sensitive information on the target device, such as the operating parameters, control instructions, and production data of the industrial control system, through devices connected to the same power line without touching the target device. An attacker using power line communications for attacks can use noise and interference on power lines to mask their own signals, reducing the risk of detection. At the same time, because the signal strength of power line communication decreases with the increase of distance, the attacker can control the transmission range of the signal by adjusting the signal power, so as to avoid being intercepted or interfered with by protective equipment. Due to the bidirectional nature of power line communication, attackers can not only steal data from the target equipment, but also send malicious data or instructions to the target equipment to illegally manipulate or interfere with the industrial control system equipment, thereby affecting or destroying the normal operation of the industrial control system. For example, using the DTLS4 or CoAP protocols in the IEEE 1901.11 standard to forge, tamper with control instructions or status information.
Third, work suggestions
The continuous application of new technology in industrial control system, industrial control system safety protection research is a long way to go, it is suggested that the next step of industrial control system safety protection work focus on six aspects.
1. Strengthen policy and standard setting
It is suggested that the competent authorities should formulate an industrial control system security protection system that meets the characteristics of the industry in accordance with the relevant requirements of national industrial control system security protection and the standards of “Information Security Technology Industrial Control System security protection Technical Requirements and test and evaluation Methods” for the needs of industry characteristics and development. Provide guidance and norms for the technological development and application of industrial control system safety protection, so that the safety protection of industrial control systems in various industries can be followed.
2. Strengthen the dissemination of policies and standards
It is suggested that relevant departments organize expert forces to deeply interpret the relevant policies and standards of industrial control system safety protection, strengthen the propaganda and implementation of relevant policies and standards, solve the problems of relevant units’ inadequate understanding of policy standards and technical protection principles, guide relevant units to develop safety protection programs, provide personalized solutions to problems, and share experiences worth promoting. 数字化转型网(www.szhzxw.cn)
3. Strengthen the top-level design of security protection
It is suggested to introduce security protection experts in the whole process of industrial control system transformation and development, and promote the synchronous planning, synchronous design, synchronous construction and synchronous use of enterprise security protection and industrial control system transformation. Strengthen the top-level design of the safety protection system, constantly improve the system, standard system, technical system, capability system, support and guarantee system, etc., promote the comprehensive and orderly development of the transformation of the industrial control system, and provide a strong security guarantee for the comprehensive promotion of the development strategy of the industrial control system. 数字化转型网(www.szhzxw.cn)
4. Explore key equipment and industrial software testing capabilities
It is suggested to establish a security review mechanism for imported hardware and software products and domestic equipment using imported core components, and carry out technical tests such as “back doors”, vulnerabilities, and covert communications. Gradually establish an industrial software supply chain security risk analysis system, combined with advanced technologies such as artificial intelligence and knowledge graph, carry out security reviews of open source components of industrial software, reduce the risks of network monitoring and data theft caused by security loopholes and “back doors”, and improve the intrinsic security of industrial control systems.
5. Promote research on new safety protection technologies
In view of the particularity of special communication interfaces and special communication protocols of industrial control systems, security protection technologies that meet the characteristics of industrial control systems are studied from the aspects of physical environment, network, equipment, applications and data, so as to form a deep defense system to cope with the security risks of industrial control systems caused by different factors. In view of the vulnerability of a large number of old industrial control systems, the “vest” type security reinforcement technology is studied to solve the situation of old equipment “running with disease”, and the overall improve the safety protection ability of industrial control systems.
6. Carry out personnel skills training
Enterprises should regularly carry out industrial control system safety protection training, focusing on the professional knowledge of industrial control system and safety protection, improve the safety risk response ability of industrial control system operation and maintenance personnel and front-line operators, enhance the awareness of safety protection, and provide sufficient talent guarantee for the safety protection work of industrial control system.
Conclusion
This paper analyzes the security protection risk of industrial control system, as well as the hidden communication risk of industrial control system, and puts forward suggestions on the security protection work of industrial control system, providing a theoretical basis for reference for the security protection construction of industrial control system, and promoting the overall improvement of the security protection ability of industrial control system. 数字化转型网(www.szhzxw.cn)
本文由数字化转型网(www.szhzxw.cn)转载而成,来源于新工业网;编辑/翻译:数字化转型网宁檬树。
免责声明: 本网站(https://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
