Judging from the network security drills in recent years, the industrial control system is seriously ill and vulnerable to attacks, which may lead to a major impact. For a long time, hostile forces have continued to launch attacks on industrial control systems, mainly by means of pre-embedding hidden "backdoors", implanting hardware Trojans, and cross-network attacks, and then monitoring and launching attacks on computers and key equipment that are not connected to the Internet, and easily not exposing the attack target - industrial control system, so as to ensure the suddenness and concealment of system attacks at critical moments.
Covert communication techniques are often used to evade online censorship or to protect data confidentiality, using parts of the network that are not properly monitored or analyzed to transmit data. A lot of research has been achieved on covert communication technology at home and abroad, mainly focusing on the analysis of the principle of covert communication and the detection method of covert communication. However, the research on the hidden communication risk of industrial control system is still in its infancy, and the research on concealed communication technology and detection method based on industrial control communication protocol has not yet formed systematic theoretical and practical results.
Based on the current situation of security protection of industrial control systems in military enterprises, this paper analyzes the security risks of hidden communication in industrial control systems, and puts forward the key research directions in the future.
1 Security protection risks
The Stuxnet virus incident in 2010 raised the security of industrial control systems to an unprecedented level, and China has also issued a number of policy documents and standards related to information security of industrial control systems. Under the guidance of national policies and industries, China's industrial control system security protection capability has made some progress, but it still faces many challenges.
1.1. Safety protection is uneven.
In 2011, the Ministry of Industry and Information Technology issued the Notice on Strengthening Information Security Management of Industrial Control Systems. Since then, various regulations, policy guidance documents and industry standards related to the safety of industrial control systems have been released one after another. In 2022, the Standardization Administration of the People's Republic of China and the National Information Security Standardization Technical Committee issued the Guidelines for Network Security Protection of Information Security Technology for Important Industrial Control Systems and the Technical Requirements and Test and Evaluation Methods for Security Protection of Information Security Technology for Industrial Control Systems respectively. According to the actual situation of their own industrial control systems in the design, construction, operation and other links, various industries have also successively issued industry industrial control system policies and standards to guide the construction, operation and maintenance of industrial control systems. However, each industry has a different understanding of the security protection of industrial control systems, which leads to great differences in the formulation and interpretation of security protection policies and standard systems in various industries, and the ability of security protection is also uneven.
1.2 There are flaws in the safety design.
When designing and producing industrial control equipment (hereinafter referred to as "industrial control equipment"), equipment manufacturers pay attention to the stability, reliability and functionality of the equipment, and pay less attention to the safety protection ability of the equipment. The personnel of the user unit do not understand the technical principles and core technologies of the industrial control equipment, and it is difficult to know whether the industrial control equipment has threats such as "backdoor" and "vulnerability". At the same time, the industrial control equipment is customized and developed according to the specific needs of customers, which is highly matched with the production process, so that the industrial control equipment is non-standard and specialized, and it is impossible to uniformly install anti-virus and other general security protection products, resulting in its lack of effective defense against malicious ***. Due to the inability to avoid the use of open source software components in the development of industrial software products, large-scale software chain security incidents caused by open source software vulnerabilities have continued to occur in recent years, and there have even been organized malicious modification of "poisoning" incidents.
1.3. There are many potential safety hazards in imported equipment.
Some units mainly rely on imports for industrial control equipment, and imported industrial control equipment usually has a special data interface for remote assistance in operation and maintenance. When purchasing and using imported equipment and software, users often fail to carry out necessary security tests on these special data interfaces, and cannot effectively investigate the hidden communication "backdoors" that may be hidden, and there is a risk of data leakage. For example, devices or devices such as Cisco routers, Intel Pentium 3 processor chips, etc., have been proven to have security vulnerabilities and "backdoors."
1.4. It is difficult to adapt safety protection products.
Some units try to improve the security protection level of industrial control systems by deploying traditional security products such as anti-virus and behavior audit in industrial control systems, but these security products are often not suitable for the operating environment of industrial control systems, and there are problems such as accidental killing, compatibility, and virus database cannot be updated in real time. The lack of unified standards and specifications for new industrial control system security products leads to many security products that are simply transformed and adjusted on the basis of existing network security products, and cannot effectively solve the practical security problems such as special communication interfaces and special communication protocol security protection of industrial control systems. There is still a phenomenon of attaching importance to the network layer and ignoring the equipment layer in the information security construction of the industrial control system, and there is a lack of technical protection measures for the industrial control equipment itself. In addition, the construction and use cycle of industrial control systems is long, a large number of old industrial control systems are fragile, and the operating systems and firmware of industrial control equipment often have old versions, many vulnerabilities, and patches are difficult to update.
1.5. Lack of professional talents.
The operation and maintenance of the industrial control system lacks sufficient professional talents, and the operation and maintenance personnel of the industrial control system of some units are concurrently served by the operation and maintenance personnel of the information system, and only a small number of personnel have undergone the security training of the industrial control system of the system. The number of compound talents who are familiar with industrial control systems and security protection is far from meeting the security protection needs of industrial control systems under the current situation.
2 Covert communication risk analysis
Industrial control systems are widely used in petrochemical industry, power energy, national defense and military industry and other fields, and are an important part of the national critical information infrastructure, and have become an important target for attacks and sabotage by various malicious forces. The industrial control system has the characteristics of strong real-time performance and high degree of protocol privatization, and focuses on the stability, reliability and functionality of the equipment in the design and production, which leads to the lack of overall planning of security protection in the industrial control system, and the problems of data plaintext transmission, weak passwords, and difficulty in vulnerability identification and repair in the communication system.
Covert communication refers to the technology of concealing and passing data using protocols or traffic that do not have the ability to transmit information. It has become a trend to use covert communication technologies in the information field to avoid detection by traditional defense systems. Once this trend is applied to the industrial control system by malicious forces, it will cause huge economic and personnel losses. In order to solve the potential risks and hidden dangers such as information leakage and malicious attacks caused by the covert communication of the current industrial control system, this paper will analyze the hidden communication risk of the industrial control system.
2.1 Industrial Ethernet conceals communication risks.
Industrial Ethernet is built on IEEE802Distributed real-time control communication network over Series 3 standard and TCP IP. In order to allow the combination of industrial control system components from different vendors, standard protocols such as Modbus, S7Comm, OPC, etc., are increasingly used in industrial control system networks. Standard protocols usually do not contain security mechanisms to counter covert communication, so attackers can easily modify the communication content or embed additional messages using information hiding techniques by installing pre-designed modules on industrial control devices.
The Modbus protocol is a serial communication protocol widely used in industrial control systems. It doesn't define any authentication, encryption, or authorization mechanisms, making it vulnerable to exploitation by attackers. An attacker can modify the function code, data field, exception code, and other fields in the modbus packet, or insert additional data into the packet to achieve covert communication. For example, the method of covert communication using the exception code field in the modbus protocol can transmit information of any length without affecting normal communication.
The S7COMM protocol is a protocol used for communication between Siemens' S7 series programmable logic controllers (PLCs) or with PC stations. It also doesn't provide effective security protection, so it's also vulnerable to attackers. An attacker can modify the parameters, data blocks, variables, and other fields in the S7 packet, or insert additional data into the packet to achieve covert communication. For example, the method of covert communication using parameter fields in the S7 protocol can transmit information of any length without affecting normal communication.
The OPC protocol is a standardized protocol for exchanging data and commands between different devices in an industrial control system. It is implemented based on the TCP IP protocol and COM DCOM technology. The OPC protocol also has some security issues, such as lack of authentication, encryption, or integrity checks, so it can also be easily exploited by attackers. Attackers can modify the tag name, value, timestamp, and other fields in OPC packets, or insert additional data into the packets to achieve covert communication. For example, stealthy communication using the label name field in the OPC protocol can transmit information of any length without affecting normal communication. Because the covert communication channel of Industrial Ethernet fully conforms to the characteristics and requirements of normal protocols. As a result, an off-the-shelf intrusion detection system (IDS) will have a hard time detecting messages that have changed.
2.2 USB camouflage conceals communication risks.
USB camouflage covert communication is a common covert communication technique. It refers to the use of the characteristics of USB devices to disguise themselves as other types of devices, such as keyboards, mice, cameras, etc., so as to bypass the security detection of the system and achieve covert transmission of data.
For example, a USB device can be disguised as a keyboard to send encrypted data to the target device by simulating keystrokesOr a USB device can be disguised as a camera and send data to the target device by simulating a stream.
USB camouflage covert communication is difficult to detect, block, and analyze. USB devices can be disguised as other common devices, making it difficult for people to identify their true nature by their appearance or system. USB devices can be connected directly to the target device, and network-level monitoring measures or firewalls are difficult to effectively block their communication behavior. In addition, USB devices can use a variety of encryption or steganography techniques to hide data, and it is not possible to analyze the content of their communications based on packet type analysis or content inspection alone.
USB disguised and covert communication poses a greater risk to users, such as information leakage, network attacks, and physical damage. Attackers can use USB spoofing techniques to steal sensitive information such as passwords, files, etc., from the target device and send it to a remote server or other device. Attackers can also use USB spoofing techniques to plant malicious intent** such as Trojans, backdoors, ransomware, and more into the target device, and remotely control or destroy them. In addition, attackers can use USB cloaking technology to send malicious instructions to the target device, such as formatting storage, deleting files, shutting down the system, etc., and cause physical damage or data loss.
2.3 Electromagnetic covert communication risks.
Electromagnetic covert communication technology mainly relies on the wireless air interface to transmit information, the transmission process inevitably has the risk of electromagnetic leakage, under the attack of strong electromagnetic interference from the outside world, malicious installation of electromagnetic Trojan horses and other means, it can break through the limitations of traditional physical isolation and network transmission, resulting in the paralysis of the industrial control system and even the burning of the core production equipment. There are three main types of electromagnetic covert communication risks in industrial control systems.
1) Implant or conceal a wireless transmitter in the device, the device is highly integrated and not easy to find, has the function of transmitting wifi signals and Bluetooth signals, and transmits important information to the outside when the time is ripe, for example, once the office automation equipment connected with the industrial control system equipment maliciously installs a wireless transceiver device, important information can be leaked to the outside. For another example, the theft tools of the Ragemaster, Photoanglo, and Cottonmouth series used by the U.S. Bureau in operations such as Dropmire all use hidden wireless transmitters to steal the core data of important industrial control systems.
2) The attacker steals the important data of the industrial control system by receiving the electromagnetic leakage signal emitted by the electronic components, network transmission cables, computer terminals, etc. of the equipment in the working state, and restores the electromagnetic signal content through demodulation.
3) Preset functions (interfaces) or install malicious electromagnetic Trojan software when the key industrial control equipment leaves the factory, and activate the preset function by receiving the wireless signal emitted by the electromagnetic Trojan, which can not only steal the key core information of the industrial control system, but also destroy the equipment function, and even cause the entire industrial control system to be paralyzed.
2.4 Hidden communication risks of power lines.
Powerline communication technology is a technology that uses power lines for data transmission to realize the connection and control of Internet of Things devices, which brings convenience to the connection of industrial control systems, but also hides hidden communication risks. Attackers can exploit the characteristics or vulnerabilities of power line communication technology to carry out illegal information transmission or control on industrial control equipment, such as power line noise interference, signal leakage, malicious injection, etc., thereby endangering the security of industrial control systems.
The covert communication methods of power lines mainly include covert modulation and covert control. Attackers can use redundant or hidden information in powerline communication systems, such as packet headers, check digits, and timestamps, to transmit secret information to bypass security monitoring and protection. For example, using IEEE 190111 PLC-IoT message 2 in the standard retains a field or timestamp to transmit masked data.
Attackers can also use the signal characteristics in the power line communication system, such as amplitude, frequency, phase, etc., to make small changes to the original signal, so as to transmit secret information without affecting normal communication. For example, using IEEE 1901OFDM3 technology in standard 11 for covert modulation of carrier signals;Another example is the transmission of covert data using the least significant bit of telemetry data in the IEC 60870-5-104 standard.
The industrial control system that uses power line communication, because the power line is mostly a public power line, any equipment connected to the power line may intercept or tamper with the data of power line communication, which is easy to cause sensitive data leakage or eavesdropping, which is very dangerous for communication involving sensitive information or trade secrets. The content of powerline communications can also be leaked in the form of radio waves, which use high-frequency carrier signals that generate radiation on the power lines and excite radio waves in the surroundings.
Industrial control systems that do not use powerline communication can also be subject to cross-network attacks or breaches. An attacker using power line communication can steal or tamper with sensitive information on the target device, such as the operating parameters, control instructions, and production data of the industrial control system, through the device connected to the same power line without touching the target device. Attackers who exploit powerline communications can use noise and interference on powerlines to mask their signals, reducing the risk of detection. At the same time, since the signal strength of power line communication decreases with increasing distance, the attacker can control the propagation range of the signal by adjusting the signal power, so as to avoid being intercepted or interfered with by protective equipment. Due to the two-way nature of power line communication, attackers can not only steal data from the target device, but also send malicious data or instructions to the target device to illegally manipulate or interfere with the industrial control system equipment, thereby affecting or destroying the normal operation of the industrial control system. For example, using IEEE 1901DTLS4 or COAP protocols in standard 11, forgery, tampering with control instructions or status information.
3 Work Proposals
The continuous application of new technologies in industrial control systems, the research on the security protection of industrial control systems has a long way to go, and it is suggested that the next step of the security protection of industrial control systems should be carried out in six aspects.
3.1. Strengthen the formulation of policies and standards.
It is suggested that the competent department should formulate an industrial control system security protection system in line with the characteristics of the industry in accordance with the relevant requirements of the national industrial control system security protection and the standard of "Information Security Technology Industrial Control System Security Protection Technical Requirements and Test and Evaluation Methods", so as to provide guidance and specifications for the technical development and application deepening of the security protection of industrial control systems, so that the security protection of industrial control systems in various industries has rules to follow.
3.2. Strengthen the publicity and implementation of policies and standards.
It is recommended that relevant departments organize experts to conduct in-depth interpretation of relevant policies and standards for the security protection of industrial control systems, strengthen the publicity and implementation of relevant policies and standards, solve the problems of insufficient understanding of policy standards and technical protection principles by relevant units, guide relevant units to formulate safety protection plans, provide personalized solutions to problems, and share experiences worthy of promotion.
3.3. Strengthen the top-level design of safety protection.
It is suggested that security protection experts should be introduced in the whole process of industrial control system transformation and development, so as to promote the synchronous planning, design, construction and use of enterprise security protection and industrial control system transformation. Strengthen the top-level design of the safety protection system, continuously improve the institutional system, standard system, technical system, capability system, support and guarantee system, etc., promote the comprehensive and orderly development of the transformation of the industrial control system, and provide a strong security guarantee for the comprehensive promotion of the development strategy of the industrial control system.
3.4. Explore the detection capabilities of key equipment and industrial software.
It is recommended to establish a security review mechanism for imported software and hardware products and localized equipment using imported core components, and carry out technical testing such as "back doors", vulnerabilities, and covert communications. Gradually establish a security risk analysis system for the industrial software chain, combine advanced technologies such as artificial intelligence and knowledge graph, carry out security review of open source components of industrial software, reduce the risks of network monitoring and data theft caused by security vulnerabilities and "backdoors", and improve the intrinsic security of industrial control systems.
3.5. Promote the research of new safety protection technologies.
In view of the particularity of the special communication interface and special communication protocol security protection of the industrial control system, the security protection technology that conforms to the characteristics of the industrial control system is studied from the aspects of physical environment, network, equipment, application and data, so as to form a defense system in depth to deal with the security risks of the industrial control system caused by different factors. In view of the vulnerability of a large number of old industrial control systems, the "vest-wearing" security reinforcement technology is studied to solve the situation of "sick operation" of old equipment and improve the safety protection capability of industrial control systems as a whole.
3.6. Carry out personnel skills training.
Enterprises should regularly carry out training on the security protection of industrial control systems, focusing on the professional knowledge of industrial control systems and security protection, improve the security risk response ability of industrial control system operation and maintenance personnel and front-line operators, enhance the awareness of safety protection, and provide sufficient talent guarantee for the security protection of industrial control systems.
4 Conclusion
This paper analyzes the security protection risks of industrial control systems and the hidden communication risks of industrial control systems, and puts forward some suggestions for the security protection of industrial control systems, so as to provide a theoretical basis for the construction of security protection of industrial control systems and promote the overall improvement of the security protection capabilities of industrial control systems.
The article ** was published on the new industrial network, invaded and deleted.
Authors: Hou Fangyuan, Wang Hu, Wang Qi, Military Secrecy Qualification Examination and Certification Center.