新型工业控制系统勒索蠕虫威胁与防御

doi:10.11772/j.issn.1001-9081.2017112703

计算机应用 ›› 2018, Vol. 38 ›› Issue (6): 1608-1613.DOI: 10.11772/j.issn.1001-9081.2017112703

新型工业控制系统勒索蠕虫威胁与防御

刘煜堃¹, 诸葛建伟¹, 吴一雄^1,2

1. 清华大学网络科学与网络空间研究院, 北京 100084;
2. 福州大学数学与计算机科学学院, 福州 350116

收稿日期:2017-11-15 修回日期:2018-02-23 出版日期:2018-06-10 发布日期:2018-06-13
通讯作者: 诸葛建伟
作者简介:刘煜堃(1993-),男,福建福州人,硕士研究生,主要研究方向:系统安全、漏洞挖掘、漏洞利用、工业控制系统安全;诸葛建伟(1980-),男,浙江瑞安人,副研究员,博士,CCF高级会员,主要研究方向:系统安全、网络攻防;吴一雄(1995-),男,福建莆田人,主要研究方向:Web应用安全、工业控制系统安全。
基金资助:
国家自然科学基金资助项目（61472209）；清华大学国际科技合作项目（20163000227）；清华大学自主科研计划课题（20151080436）。

Threat and defense of new ransomware worm in industrial control system

LIU Yukun¹, ZHUGE Jianwei¹, WU Yixiong^1,2

1. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China;
2. College of Mathematics and Computer Science, Fuzhou University, Fuzhou Fujian 350116, China

Received:2017-11-15 Revised:2018-02-23 Online:2018-06-10 Published:2018-06-13
Supported by:
This work is partially supported by the National Natural Science Foundation of China (61472209), the International Science and Technology Cooperation Project of Tsinghua University (20163000227), the Independent Research Project of Tsinghua University (20151080436).

摘要/Abstract

摘要： 工业控制系统（ICS）的大规模攻击对于电力生产、输配电、石油化工、水处理和传输等涉及国计民生的关键基础设施是一个巨大的威胁，目前提出的针对ICS的勒索蠕虫受限于工控网络隔离的特性，难以大规模传播。基于观察到的ICS实际开发场景，针对ICS高度隔离化的问题，提出一种基于新的攻击路径的勒索蠕虫威胁模型。此威胁模型首先将工程师站作为初次感染目标，然后以工程师站作为跳板，对处于内部网络的工业控制设备进行攻击，最后实现蠕虫式感染和勒索。基于此威胁模型，实现了ICSGhost——一种勒索蠕虫原型。在封闭的实验环境中，ICSGhost能够以预设的攻击路径对ICS进行蠕虫式感染；同时，针对该勒索蠕虫威胁，讨论了防御方案。实验结果表明此种威胁切实存在，并且由于其传播路径基于ICS实际的开发场景，较难检测和防范。

关键词: 工业控制系统, 蠕虫, 勒索软件, 网络犯罪, 安全威胁

Abstract: Industrial Control System (ICS) is widely used in critical infrastructure projects related to the national economy and people's livelihood such as power generation, transmission and distribution, petrochemical industry, water treatment and transmission. Large-scale attack on ICS is a huge threat to critical infrastructure. At present, the proposed ransomware worm for ICS is limited by the isolation characteristics of industrial control network, and it is difficult to spread on a large scale. Based on the observed actual development scene of ICS, in order to solve the problem of high isolation for ICS, a novel ransomware worm threat model with a new attack path was proposed. Firstly, the engineer station was taken as the primary infection target. Then, the engineer station was used as the springboard to attack the industrial control devices in the internal network. Finally, the worm infection and ransom were realized. Based on the proposed threat model, ICSGhost, which was a ransomware worm prototype, was implemented. In the closed experimental environment, ICSGhost can realize worm infection for ICS with a predetermined attack path. At the same time, for the ransomware worm threat, the defense plan was discussed. The experimental results show that such threat exists, and because its propagation path is based on the actual development scene of ICS, it is difficult to detect and guard against.

Key words: Industrial Control System (ICS), worm, ransomware, cybercrime, security threat

中图分类号:

TP273
TP309

刘煜堃, 诸葛建伟, 吴一雄. 新型工业控制系统勒索蠕虫威胁与防御[J]. 计算机应用, 2018, 38(6): 1608-1613.

LIU Yukun, ZHUGE Jianwei, WU Yixiong. Threat and defense of new ransomware worm in industrial control system[J]. Journal of Computer Applications, 2018, 38(6): 1608-1613.

参考文献

[1] ENISA. Protecting industrial control systems. recommendations for Europe and member states[EB/OL].[2017-10-16]. https://www.enisa.europa.eu/publications/protecting-industrial-control-systems.-recommendations-for-europe-and-member-states.
[2] 陶耀东,李宁,曾广圣.工业控制系统安全综述[J].计算机工程与应用,2016,52(13):8-18.(TAO Y D, LI N, ZENG G S. Review of industrial control systems security[J]. Computer Engineering and Applications, 2016, 52(13):8-18.)
[3] FALLIERE N, MURCHU L O, CHIEN E. W32.Stuxnet Dossier[EB/OL].[2017-10-16]. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.
[4] MOHURLE S, PATIL M. A brief study of WannaCry threat:ransomware attack 2017[J]. International Journal of Advanced Research in Computer Science, 2017, 8(5):1938-1940.
[5] BURGESS M. Could hackers really take over a hotel? WIRED explains[EB/OL].[2017-10-16]. http://www.wired.co.uk/article/austria-hotel-ransomware-true-doors-lock-hackers.
[6] FORMBY D, DURBHA S, BEYAH R. Out of control:ransomware for industrial control systems[EB/OL].[2017-10-16]. http://www.cap.gatech.edu/plcransomware.pdf.
[7] SPENNEBERG R, BRVGGEMANN M, SCHWARTKE H. PLC-blaster:a worm living solely in the PLC[EB/OL].[2017-10-16]. https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf.
[8] KLICK J, LAU S, MARZIN D, et al. Internet-facing PLCs - a new back orifice[EB/OL].[2017-10-16]. http://www.inf.fu-berlin.de/inst/ag-si/pub/us-15-Klick-Internet-Facing-PLCs-A-New-Back-Orifice-paper.pdf.
[9] KASPIN D. The lion at the waterhole:the secrets of life and death in Chewa rites de passage[M]//Those Who Play With Fire:Gender, Fertility and Transformation in East and Southern Africa. London:Athlone Press, 1999:83-99.
[10] XIAO C. Novel malware xcodeghost modifies xcode, infects apple ios apps and hits app store[EB/OL].[2017-10-16]. https://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/.
[11] TISCHER M, DURUMERIC Z, et al. Users really do plug in USB drives they find[C]//Proceedings of the 2016 IEEE Symposium on Security and Privacy. Piscataway, NJ:IEEE, 2016:306-319.
[12] HUNT R. Internet/Intranet firewall security - policy, architecture and transaction services[J]. Computer Communications, 1998, 21(13):1107-1123.
[13] CHESWICK W R, BELLOVIN S M, RUBIN A D. Firewalls and Internet Security:Repelling the Wily Hacker[M]. 2nd Edition. Boston, MA:Addison-Wesley Longman Publishing Company, 2003:24-34.
[14] TARI Z, CHAN S W. A role-based access control for intranet security[J]. IEEE Internet Computing, 1997, 1(5):24-34.
[15] 春增军,邹来龙.发电企业集团办公网与互联网隔离策略分析与方案研究[J].电子技术应用,2010(1):144-147.(CHUN Z J, ZHOU L L. The policy analysis and project study to electricity enterprise group's Intranet and Internet network isolation[J]. Application of Electronic Technique, 2010(1):144-147.)
[16] WILLIAMS T J. The purdue enterprise reference architecture[J]. Computers in Industry, 1994, 24(2/3):141-158.
[17] 尚文利,安攀峰,万明,等.工业控制系统入侵检测技术的研究及发展综述[J].计算机应用研究,2017,34(2):328-333,342.(SHANG W L, AN P F, WAN M, et al. Research and development overview of intrusion detection technology in industrial control system[J]. Application Research for Computers, 2017, 34(2):328-333, 342.)
[18] 彭勇,向憧,张淼,等.工业控制系统场景指纹及异常检测[J].清华大学学报(自然科学版),2016,56(1):14-21.(PENG Y, XIANG T, ZHANG M, et al. Scenario fingerprint of an industrial control system and abnormally detection[J]. Journal of Tsinghua University (Science and Technology), 2016, 56(1):14-21.)

新型工业控制系统勒索蠕虫威胁与防御

Threat and defense of new ransomware worm in industrial control system

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	苏振宇, 宋桂香, 刘雁鸣, 赵媛. 服务器管理控制系统威胁建模与应用[J]. 计算机应用, 2019, 39(7): 1991-1996.
[2]	陈万志, 徐东升, 张静, 唐雨. 结合优化支持向量机与K-means++的工控系统入侵检测方法[J]. 计算机应用, 2019, 39(4): 1089-1094.
[3]	何赞园, 王凯, 牛犇, 游伟, 汤红波. 基于安全威胁预测的5G网络切片功能迁移策略[J]. 计算机应用, 2019, 39(2): 446-452.
[4]	常天佑, 魏强, 耿洋洋. 基于状态转换的PLC程序模型构建方法[J]. 计算机应用, 2017, 37(12): 3574-3580.
[5]	黄辉郭帆徐淑芳. 基于改进蚁群算法的多态蠕虫特征提取[J]. 计算机应用, 2013, 33(12): 3494-3498.
[6]	孙磊戴紫珊. 安全服务云框架研究[J]. 计算机应用, 2012, 32(01): 13-15.
[7]	林锦贤林军青. 离散时间下混合型良性蠕虫的建模仿真分析[J]. 计算机应用, 2011, 31(11): 2957-2960.
[8]	宋礼鹏韩燮刘冬明张建华. 机器更新对蠕虫传播影响[J]. 计算机应用, 2011, 31(05): 1262-1264.
[9]	左家亮寇雅楠杨任农张滢侯佩黄利斌. 基于贪婪算法的蠕虫综合容忍预警方法[J]. 计算机应用, 2010, 30(2): 529-531.
[10]	宋礼鹏. 多蠕虫传播模型分析[J]. 计算机应用, 2010, 30(12): 3360-3362.
[11]	刘方正祁建清司贵生. 非均匀随机扫描的蠕虫离散传播模型[J]. 计算机应用, 2010, 30(10): 2677-2678.
[12]	许晓东杨甦朱士瑞. 基于候选组合频繁模式的骨干网蠕虫检测研究[J]. 计算机应用, 2009, 29(1): 178-180.
[13]	贾永新肖爱梅. 基于陷阱邮箱的蠕虫邮件行为模式识别方法[J]. 计算机应用, 2009, 29(08): 2236-2239.
[14]	李晓冬李毅超. 基于漏洞的蠕虫特征自动提取技术研究[J]. 计算机应用, 2008, 28(3): 640-642.
[15]	冯庆煜. Ad Hoc网络中OLSR路由协议的蠕虫防御[J]. 计算机应用, 2007, 27(5): 1062-1063.