Cyber Security of SCADA Systems

Testbed Testbed Development

Group Members:

Justin Fitzpatrick

Rafi Adnan

Michael Higdon

Ben Kregel

Adviser:

Dr. Manimaran

What is SCADA?What is SCADA?

Supervisory Control and Data Supervisory Control and Data AcquisitionAcquisition

High Level ComponentsHigh Level Components

Human Machine InterfaceHuman Machine Interface Remote Terminal UnitRemote Terminal Unit SensorsSensors

SCADA Network Topology

WWW

Sub 1 Sub 2

Relay 1Relay 2

Sicam 1

Sicam 2

Control

Host 1 Host 2

...217

...213 ...210

...218

129.186.5.195

...193 ...194

...201 ...203

MotivationMotivation

ReliabilityReliability Protection against attackProtection against attack Proactive development of security Proactive development of security

compliance solutionscompliance solutions

Requirements and Goals

Develop system software fluencyDevelop system software fluency Power TGPower TG

Develop SCADA testbedDevelop SCADA testbed Configure network communicationConfigure network communication

Integrate hardware simulationIntegrate hardware simulation RelaysRelays

SCADA system security evaluation and SCADA system security evaluation and testingtesting

Constraints

Time and scheduling resourcesTime and scheduling resources Homeland security protocolsHomeland security protocols Learning curve for equipmentLearning curve for equipment Limited test equipmentLimited test equipment

2 relays2 relays 3 scalance units3 scalance units

Large project scopeLarge project scope One piece at a timeOne piece at a time Small “experiments”Small “experiments”

Project Design

Schedule

Establish a software modelEstablish a software model Substations and generationSubstations and generation October 2009October 2009

Integrate hardware into softwareIntegrate hardware into software Establishes a full test bedEstablishes a full test bed December 2009December 2009

Test vulnerabilities and holes in systemTest vulnerabilities and holes in system Jan-May 2010Jan-May 2010

PurposePurpose Understand software and devicesUnderstand software and devices

DeliverablesDeliverables Software guides and explanationsSoftware guides and explanations

TestingTesting Set-up/configuration of software and Set-up/configuration of software and

devicesdevices

Experiment 1

SoftwareSoftware PowerTGPowerTG

DNP serverDNP server SICAM PASSICAM PAS DIGSIDIGSI SCALANCE configuration softwareSCALANCE configuration software

DevicesDevices SCALANCESCALANCE RelaysRelays

Software and Devices

PurposePurpose Connectivity within SCADA network Connectivity within SCADA network

DeliverablesDeliverables Network hardware setup (switches, Network hardware setup (switches,

Ethernet)Ethernet) PowerTG can communicate with SICAM RTUsPowerTG can communicate with SICAM RTUs

TestingTesting RTUs connect to DNP serverRTUs connect to DNP server Ability to trip (on/off) specific RTU relayAbility to trip (on/off) specific RTU relay

Experiment 2

SCADA Network Topology

WWW

Sub 1 Sub 2

Relay 1Relay 2

Sicam 1

Sicam 2

Control

Host 1 Host 2

...217

...213 ...210

...218

129.186.5.195

...193 ...194

...201 ...203

DNP Server Connection

Tripping a Relay

PurposePurpose Implementation of SCALANCE units Implementation of SCALANCE units

DeliverablesDeliverables Insertion SCALANCE devices into Network as Insertion SCALANCE devices into Network as

gatekeepersgatekeepers TestingTesting

RTUs connect to DNP serverRTUs connect to DNP server Ability to trip (on/off) specific RTU relayAbility to trip (on/off) specific RTU relay Block unauthorized connectionsBlock unauthorized connections Inability to create connections to the outsideInability to create connections to the outside

Experiment 3

Will be primarily used for firewall and Will be primarily used for firewall and IPsec tunnel (VPN)IPsec tunnel (VPN)

Protocol IndependentProtocol Independent No repercussions when included in No repercussions when included in

flat networksflat networks Protection for devices and network Protection for devices and network

segmentssegments

SCALANCE Modules

Need to set up all rules for ingoing, Need to set up all rules for ingoing, outgoing packets via IP addressesoutgoing packets via IP addresses

Does not let anything else in our outDoes not let anything else in our out Effectively the same as tunnelingEffectively the same as tunneling Very inconvenientVery inconvenient

Secured by Firewall

Security Topologies

Only communication between Only communication between SCALANCE devices allowed.SCALANCE devices allowed.

All nodes behind SCALANCE can talk to All nodes behind SCALANCE can talk to other nodes behind SCALANCE devices.other nodes behind SCALANCE devices. Dashed green lines on next slideDashed green lines on next slide

No additional rules required. Add to No additional rules required. Add to group and automatically part of tunnel.group and automatically part of tunnel.

Secured by IPsec Tunnels

Security Topologies

All internal nodes send packets to All internal nodes send packets to the external network and keep their the external network and keep their IP addresses hidden by the NAT IP addresses hidden by the NAT functionality functionality

Used to protect IP address of each Used to protect IP address of each node behind SCALANCE device node behind SCALANCE device

NAT Router Mode

Experiment 4

PurposePurpose Implementation of adjustable load on Implementation of adjustable load on

relay relay DeliverableDeliverable

Adjustable load connection to RTU relay Adjustable load connection to RTU relay PowerTG automatically trips relay if load PowerTG automatically trips relay if load

exceeds a pre-set threshold exceeds a pre-set threshold TestingTesting

Relay trips when load exceeds threshold Relay trips when load exceeds threshold

SCADA Network Topology

WWW

Sub 1 Sub 2

Relay 1Relay 2

Sicam 1

Sicam 2

Control

Host 1 Host 2

...217

...213 ...210

...218

129.186.5.195

...193 ...194

...201 ...203

Plan for Load Testing

Develop a variable loadDevelop a variable load Run load through relaysRun load through relays

Monitor load data with PowerTGMonitor load data with PowerTG Define low and high constraintsDefine low and high constraints

Dependent upon observed loadDependent upon observed load Operate relaysOperate relays

Open circuitsOpen circuits

Experiment 5

PurposePurpose Security evaluation Security evaluation

DeliverableDeliverable Look for vulnerabilities Look for vulnerabilities Development of attacks to penetrate SCADA Development of attacks to penetrate SCADA

network to perform malicious actions network to perform malicious actions TestingTesting

Play-out and determine if attacks are Play-out and determine if attacks are effectiveeffective

Try and come up with attack Try and come up with attack scenariosscenarios Packet floodingPacket flooding Compromising VPN security?Compromising VPN security? Physical intrusionPhysical intrusion

Run attack/defense simulationsRun attack/defense simulations Use CSET to verify CIP complianceUse CSET to verify CIP compliance

Security Test Plan

Questions?Questions?