Skip to content

Commit

Permalink
updated: new readme for aitm between turbine and farm controller (TODOs)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dnkcom
dnkcom committed Nov 12, 2024
1 parent 913836d commit 1051889
Showing 1 changed file with 19 additions and 156 deletions.
175 changes: 19 additions & 156 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,189 +1,52 @@
# Branches

* [branch-00](#model-familiarity-and-initial-analysis-branch-00)
* [branch-00](#previous-wind-turbine-branch-00)
* [branch-01](#connecting-your-turbine-to-the-wind-farm-branch-01)
* [branch-02](#cwe-assessment-and-correction-branch-02)
* [branch-03](#tbd-branch-03)

# Model Familiarity and Initial Analysis (branch-00)

In this branch, you will confirm access to:

* Grafana dashboard and Node-RED HMI
* Wireshark container desktop
* VS Code configuration files
# Previous wind turbine (branch-00)

## Steps
Re-familiarize yourself with the wind turbine from the last lab. Recall, it has an adversary container and a Grafana container for ground truth.

1. Ensure all containers are running in the Gitpod workspace (_9_ containers).
2. Navigate to the public ports exposed by Gitpod for Grafana and Node-RED HMI.
* Copy the links provided on the Ports tab for Grafana and HMI to open separate browser tabs.
* For Node-RED HMI, use the primary URL and add `/ui` to the path.
* For Grafana, go to Dashboards > General > Turbine.
3. Navigate to the public port exposed by Gitpod for the `wireshark` container.
* Use the primary URL and add `/vnc.html` to the path.
* Copy the provided links on the Ports tab for Wireshark to open a separate browser tab.
* Click the `Connect` button in the NoVNC dialogue.
* If Wireshark is not running, start it from the desktop.
* Capture traffic on an interface starting with `br-`.
4. Locate the relevant configuration files in the `configs/ot-sim` directory.
In the next branch, you will set up this wind turbine in a larger wind farm. Change the two `{{FIX_ME}}` entries in the URL below with the values provided by your instructor. Then, start the next branch.

## After completing the above steps, you should work to:
> There will be a Q&A session at the module’s end. Stop the current Gitpod workspace and deploy the next branch in Gitpod using this URL: https://gitpod.io/HOSTNAME={{FIX_ME}},OTSIM_TAILSCALE_AUTHKEY=tskey-auth-{{FIX_ME}}/https://github.com/patsec/uiuc-farm/tree/branch-01
* Describe the system’s architecture.
* Are you able to describe what the containers are functioning as in context of a larger wind turbine system?
* Identify main communication patterns, particularly Modbus.
* Who is talking the loudest and the most?
* Who are they talking to?
* What else stands out to you in the communications between containers?
* Determine the controller’s responsibilities.
* Are you able to determine what the controller is responsible for in the overall context of the system?
# Connecting Your Turbine to the Wind Farm (branch-01)

## The following are available to you to assist in the above data gathering:
In this branch:

* Traffic analysis tools (the Wireshark container)
* Initial configuration files
* You will confirm access to the lab’s wind farm.

> There will be a Q&A session at the module’s end. Stop the current Gitpod workspace and deploy the next branch in Gitpod using this URL: https://gitpod.io/HOSTNAME={{FIX_ME}},OTSIM_TAILSCALE_AUTHKEY=tskey-auth-{{FIX_ME}}/https://github.com/patsec/uiuc-farm/tree/branch-01
## Steps for connecting to the wind farm

# Connecting Your Turbine to the Wind Farm (branch-01)
1. Ensure all containers are running in the Gitpod workspace.
2. Confirm with the lab instructor that your wind turbine is connected to the farm.
3. Feather the turbine blades and confirm with the instructor that they are visible.

In this branch:
Use the `{{FIX_ME}}` values from the previous branch in the URL below. Then, start the next branch.

* You will confirm access to the lab’s wind farm.
* You will also conduct protocol and wind controller analysis.

## Steps for connecting to the wind farm

1. Ensure all containers are running in the Gitpod workspace.
2. Confirm with the lab instructor that your wind turbine is connected to the farm.
3. Feather the turbine blades and confirm with the instructor that they are visible.

## Protocol and wind controller analysis.

### Answers for branch-00

> This branch uses accurate names for the controller containers.
* Six controllers manage turbine operations:
* The loudest, `main-controller`, monitors and controls the system based on weather data.
* Quietest, `blade` containers, three of them, adjust blade pitch (feathered or not) to optimize performance.
* The `main-controller` uses Modbus protocol with assigned values to communicate with other controllers.
* Grafana turbine dashboard and Node-RED HMI provide visual reports on weather data and turbine operation.
* Configuration files are for:
* `alpine-eclipse.yml`: yaw controller, which monitors and sets yaw.
* `crazy-trader.yml`, `odd-prodigy.yml`, `wavy-bird.yml`: blade controllers, change blade pitch.
* `exalted-bear.yml`: anemometer controller, ingests weather data and publishes live updates.
* `low-patriot.yml`: main controller, adjusts blades and yaw based on other controllers’ data.
* As wind speed, temperature, pressure, and feather values change, power generation is calculated and simulated.

> Each controller generates HTTP traffic to the OpenSearch container in addition to Modbus traffic. This provides ground truth data for the Grafana turbine dashboard, separate from the Modbus data used by the Node-RED UI.
### Protocol analysis

* Modbus protocol usage: A helpful [Modbus](https://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf) protocol read ahead.
* Wind turbine controller logic: The DOE provides a basic overview of [wind turbine](https://www.energy.gov/eere/wind/how-wind-turbine-works-text-version) operations.

### Steps

1. If you have not already done so, deploy a new Gitpod workspace for this branch using this URL: https://gitpod.io/HOSTNAME={{FIX_ME}},OTSIM_TAILSCALE_AUTHKEY=tskey-auth-{{FIX_ME}}/https://github.com/patsec/uiuc-farm/tree/branch-01
2. Navigate to the public port exposed by Gitpod for the `wireshark` container.
* Use the primary URL and add `/vnc.html` to the path.
* Copy the provided links on the Ports tab for Wireshark to open a separate browser tab.
* Click the `Connect` button in the NoVNC dialogue.
* If Wireshark is not running, start it from the desktop.
* Capture traffic on an interface starting with `br-`.
3. Review the logic in the `configs/ot-sim/main-ctlr.xml` and `configs/ot-sim/yaw-ctlr.xml` configuration files.

### After completing the above steps, you should work to:

* Identify Modbus register types, addresses, and packet information.
* Describe values sent for registers and logic in main and yaw controllers.

> There will be a Q&A session at the module’s end. Stop the current Gitpod workspace and deploy the next branch in Gitpod using this URL: https://gitpod.io/HOSTNAME={{FIX_ME}},OTSIM_TAILSCALE_AUTHKEY=tskey-auth-{{FIX_ME}}/https://github.com/patsec/uiuc-farm/tree/branch-02
> There will be a Q&A session at the module’s end. Stop the current Gitpod workspace and deploy the next branch in Gitpod using this URL: https://gitpod.io/HOSTNAME={{FIX_ME}},OTSIM_TAILSCALE_AUTHKEY=tskey-auth-{{FIX_ME}}/https://github.com/patsec/uiuc-farm/tree/branch-02
# CWE Assessment and Correction (branch-02)

## Answers for branch-01

* Modbus register types and addresses in use:
* `main controller <--> anemometer`: input registers 30001-30009
* `main controller` is polling `anemometer` for data
* Typical values from the `anemometer`:
```
reading input register 30001 --> ~1000
reading input register 30002 --> ~1000
reading input register 30003 --> ~1000
reading input register 30004 --> ~27500
reading input register 30005 --> ~28000
reading input register 30006 --> ~28500
reading input register 30007 --> ~1000
reading input register 30008 --> ~1200
reading input register 30009 --> ~8000
```
* `main controller <--> yaw controller`: input register 30001, holding register 40001
* `main controller` is polling `yaw controller` for data, as well as pushing setpoint
* Typical values from the `yaw controller`:
```
reading input register 30001 --> 0 - 36000
reading holding register 40001 --> 0 - 36000
```
* Typical values from the `main controller`:
```
writing holding register 40001 --> 0 - 36000
```
* `main controller <--> blade controllers`: coil 1
* `main controller` is pushing setpoint
* Typical values from the `main controller`:
```
writing coil 1 --> 0 (false)
```
* Logic in the `main controller`:
* Determines if emergency stop was initiated manually (`manual_stop`) or remotely (`proto_stop`)
* Feathers blades if emergency stop or if wind speed (`speed`) is below `cut_in` or above `cut_out`
* Adjusts yaw setpoint (`yaw_setpoint`) if current yaw (`current_yaw`) is outside error boundary (`dir_error`)
* Logic in `yaw controller`:
* Adjusts current yaw (`current_yaw`) by 0.1 degrees in the appropriate direction if current yaw is not at the setpoint (`yaw_setpoint`)
## In this branch, you will begin to:

* Think adversarially,
* Understand adversarial procedure development approaches, and
* Identify a wind turbine weakness.
This branch includes an additional container, the `adversary` container.
## Steps
1. If you have not already done so, deploy a new Gitpod workspace for this branch using this URL: https://gitpod.io/HOSTNAME={{FIX_ME}},OTSIM_TAILSCALE_AUTHKEY=tskey-auth-{{FIX_ME}}/https://github.com/patsec/uiuc-farm/tree/branch-02
2. Browse the public port exposed by Gitpod for the `adversary` container.
* Use the primary URL and add `/vnc.html` to the path.
* Copy the provided on the Ports tab for Adversary (or click the `world` icon to the right of links) to open a separate browser tab.
* Click the `Connect` button in the NoVNC dialogue.
* To start a terminal, right-click on the desktop and select `Terminal`.
> Stop the Gitpod workspace after developing and testing custom adversarial procedures. Deleting the workspace will delete files in the `adversary` container, so copy them before deleting the workspace.
## Discussion Starters
* What types of attacks can you think of against Modbus?
* AitM
* Denial of Service
* Others?
* What makes Modbus susceptible to these attacks?
* Lack of authentication
* Lack of message signing
* Others?
* Are there other attacks against this turbine?
* Work to correct the weakness.

For this branch, focus on identifying known weaknesses [CWE-451](https://cwe.mitre.org/data/definitions/451.html): User Interface (UI) Misrepresentation of Critical Information. Navigate to that link and read the extended description.

## Identify a weakness in the wind turbine

> TODO: Execute an attack between the wind turbine and farm controller instead of redoing the previous attack within the wind turbine. Modify the scripts and communications between the turbine and farm controller to use Modbus.
The `adversarial` container includes a script, `attack.sh`, for conducting an AitM attack against the turbine’s main controller and anemometer. This simplified attack will display erroneous data in the UI, which can be validated by comparing the ground-truth reporting in the Grafana dashboard.

> There will be a Q&A session at the module’s end. Stop the current Gitpod workspace and deploy the next branch in Gitpod using this URL: https://gitpod.io/HOSTNAME={{FIX_ME}},OTSIM_TAILSCALE_AUTHKEY=tskey-auth-{{FIX_ME}}/https://github.com/patsec/uiuc-farm/tree/branch-03
> TODO: Provide instructions on identifying weaknesses and their corresponding corrections, possibly linking to [CWE-440](https://cwe.mitre.org/data/definitions/440).
# TBD (branch-03)
> TODO: do we need a branch-03?
> TODO: ???

0 comments on commit 1051889

Please sign in to comment.