Cyber Security of SCADA Systems Testbed Testbed Development Group Members: Justin Fitzpatrick Rafi...
-
Upload
thomasine-payne -
Category
Documents
-
view
214 -
download
0
Transcript of Cyber Security of SCADA Systems Testbed Testbed Development Group Members: Justin Fitzpatrick Rafi...
Cyber Security of SCADA Systems
Testbed Testbed Development
Group Members:
Justin Fitzpatrick
Rafi Adnan
Michael Higdon
Ben Kregel
Adviser:
Dr. Manimaran
What is SCADA?What is SCADA?
Supervisory Control and Data Supervisory Control and Data AcquisitionAcquisition
High Level ComponentsHigh Level Components
Human Machine InterfaceHuman Machine Interface Remote Terminal UnitRemote Terminal Unit SensorsSensors
SCADA Network Topology
WWW
Sub 1 Sub 2
Relay 1Relay 2
Sicam 1
Sicam 2
Control
Host 1 Host 2
...217
...213 ...210
...218
129.186.5.195
...193 ...194
...201 ...203
MotivationMotivation
ReliabilityReliability Protection against attackProtection against attack Proactive development of security Proactive development of security
compliance solutionscompliance solutions
Requirements and Goals
Develop system software fluencyDevelop system software fluency Power TGPower TG
Develop SCADA testbedDevelop SCADA testbed Configure network communicationConfigure network communication
Integrate hardware simulationIntegrate hardware simulation RelaysRelays
SCADA system security evaluation and SCADA system security evaluation and testingtesting
Constraints
Time and scheduling resourcesTime and scheduling resources Homeland security protocolsHomeland security protocols Learning curve for equipmentLearning curve for equipment Limited test equipmentLimited test equipment
2 relays2 relays 3 scalance units3 scalance units
Large project scopeLarge project scope One piece at a timeOne piece at a time Small “experiments”Small “experiments”
Project Design
Schedule
Establish a software modelEstablish a software model Substations and generationSubstations and generation October 2009October 2009
Integrate hardware into softwareIntegrate hardware into software Establishes a full test bedEstablishes a full test bed December 2009December 2009
Test vulnerabilities and holes in systemTest vulnerabilities and holes in system Jan-May 2010Jan-May 2010
PurposePurpose Understand software and devicesUnderstand software and devices
DeliverablesDeliverables Software guides and explanationsSoftware guides and explanations
TestingTesting Set-up/configuration of software and Set-up/configuration of software and
devicesdevices
Experiment 1
SoftwareSoftware PowerTGPowerTG
DNP serverDNP server SICAM PASSICAM PAS DIGSIDIGSI SCALANCE configuration softwareSCALANCE configuration software
DevicesDevices SCALANCESCALANCE RelaysRelays
Software and Devices
PurposePurpose Connectivity within SCADA network Connectivity within SCADA network
DeliverablesDeliverables Network hardware setup (switches, Network hardware setup (switches,
Ethernet)Ethernet) PowerTG can communicate with SICAM RTUsPowerTG can communicate with SICAM RTUs
TestingTesting RTUs connect to DNP serverRTUs connect to DNP server Ability to trip (on/off) specific RTU relayAbility to trip (on/off) specific RTU relay
Experiment 2
SCADA Network Topology
WWW
Sub 1 Sub 2
Relay 1Relay 2
Sicam 1
Sicam 2
Control
Host 1 Host 2
...217
...213 ...210
...218
129.186.5.195
...193 ...194
...201 ...203
DNP Server Connection
Tripping a Relay
PurposePurpose Implementation of SCALANCE units Implementation of SCALANCE units
DeliverablesDeliverables Insertion SCALANCE devices into Network as Insertion SCALANCE devices into Network as
gatekeepersgatekeepers TestingTesting
RTUs connect to DNP serverRTUs connect to DNP server Ability to trip (on/off) specific RTU relayAbility to trip (on/off) specific RTU relay Block unauthorized connectionsBlock unauthorized connections Inability to create connections to the outsideInability to create connections to the outside
Experiment 3
Will be primarily used for firewall and Will be primarily used for firewall and IPsec tunnel (VPN)IPsec tunnel (VPN)
Protocol IndependentProtocol Independent No repercussions when included in No repercussions when included in
flat networksflat networks Protection for devices and network Protection for devices and network
segmentssegments
SCALANCE Modules
Need to set up all rules for ingoing, Need to set up all rules for ingoing, outgoing packets via IP addressesoutgoing packets via IP addresses
Does not let anything else in our outDoes not let anything else in our out Effectively the same as tunnelingEffectively the same as tunneling Very inconvenientVery inconvenient
Secured by Firewall
Security Topologies
Only communication between Only communication between SCALANCE devices allowed.SCALANCE devices allowed.
All nodes behind SCALANCE can talk to All nodes behind SCALANCE can talk to other nodes behind SCALANCE devices.other nodes behind SCALANCE devices. Dashed green lines on next slideDashed green lines on next slide
No additional rules required. Add to No additional rules required. Add to group and automatically part of tunnel.group and automatically part of tunnel.
Secured by IPsec Tunnels
Security Topologies
All internal nodes send packets to All internal nodes send packets to the external network and keep their the external network and keep their IP addresses hidden by the NAT IP addresses hidden by the NAT functionality functionality
Used to protect IP address of each Used to protect IP address of each node behind SCALANCE device node behind SCALANCE device
NAT Router Mode
Experiment 4
PurposePurpose Implementation of adjustable load on Implementation of adjustable load on
relay relay DeliverableDeliverable
Adjustable load connection to RTU relay Adjustable load connection to RTU relay PowerTG automatically trips relay if load PowerTG automatically trips relay if load
exceeds a pre-set threshold exceeds a pre-set threshold TestingTesting
Relay trips when load exceeds threshold Relay trips when load exceeds threshold
SCADA Network Topology
WWW
Sub 1 Sub 2
Relay 1Relay 2
Sicam 1
Sicam 2
Control
Host 1 Host 2
...217
...213 ...210
...218
129.186.5.195
...193 ...194
...201 ...203
Plan for Load Testing
Develop a variable loadDevelop a variable load Run load through relaysRun load through relays
Monitor load data with PowerTGMonitor load data with PowerTG Define low and high constraintsDefine low and high constraints
Dependent upon observed loadDependent upon observed load Operate relaysOperate relays
Open circuitsOpen circuits
Experiment 5
PurposePurpose Security evaluation Security evaluation
DeliverableDeliverable Look for vulnerabilities Look for vulnerabilities Development of attacks to penetrate SCADA Development of attacks to penetrate SCADA
network to perform malicious actions network to perform malicious actions TestingTesting
Play-out and determine if attacks are Play-out and determine if attacks are effectiveeffective
Try and come up with attack Try and come up with attack scenariosscenarios Packet floodingPacket flooding Compromising VPN security?Compromising VPN security? Physical intrusionPhysical intrusion
Run attack/defense simulationsRun attack/defense simulations Use CSET to verify CIP complianceUse CSET to verify CIP compliance
Security Test Plan
Questions?Questions?