Cyber Security of SCADA Systems Remote Terminal Units (RTU) May 1013 Problem SCADA systems are designed to provide an efficient solution to monitoring, regulation and control of various utilities. With many of the SCADA systems being significantly dated, security was little concern prior to today’s internet age. For this reason most control systems are open to attack from the outside. Design and implementation of SCADA test beds for use in security evaluation, testing and simulations is necessary to guarantee the safety of our critical infrastructure and utilities. Overview Critical infrastructure systems, such as electric power grid and water distribution systems, use SCADA (Supervisory Control and Data Acquisition) systems for a variety of sensing, decision making and control associated with real-time operation of the infrastructure systems. Our testbed will be used to conduct attack-defense exercises to study the various vulnerabilities of SCADA systems and their potential impacts on the performance and stability of the power system. The goal of the project is to integrate real-time power system simulation capabilities into the SCADA testbed, and conduct cyber attack-defense evaluations on the integrated system. The SCADA network consists of three major components and levels of abstraction Control Center Remote Terminal Unit (RTUs) Field devices (Relays) Functional Requirements Establish an operational SCADA test bed Incorporate security features into the SCADA test bed Integrate a live resistive current load Conduct simulations and analysis on the test bed Conduct attack scenarios for the test bed System Diagram Scalance Remote Terminal Units (RTU) Communication Communication Control Center Instruction Instruction These devices live between the control center and sensory relay devices. SICAM PAS (Power Automation System) is a piece of software that runs on and acts as a Remote Terminal Unit (RTU) which is responsible for interpreting sensory data about a process and communicating this data to a control center running the Spectrum Power TG software. This SCALANCE S612 device is designed to provide point-to-point data protection between SCALANCE cells, located upstream from the devices to be protected. The SCALANCE device encrypts and sends data in real-time, while allowing for remote access through internet gateways. Additionally, communication is only possible between authenticated and authorized devices. The Control Center is the main Human-to-Machine Interface (HMI) device for our test bed which allows a human user to monitor and control multiple sub-station hubs from a single control center. The HMI software, Spectrum Power TG, for the control center allows the user to navigate the database items using a helpful and detailed GUI. This interface can be accessed locally or remotely using secure network connections. From this hub administrators can analyze current/voltage levels, trip breakers. Control center redundancy is provided in the form of control terminal hot-swapping and multiple databases. Communication Instruction The SIPROTEC 4 7SJ61 relay devices represent the sensor component of each remote substation. The purpose of these relays within our system is to measure and capture real-time transient current data. Additionally, the relays act as a circuit-breaker that allows an operator to remotely open and close the relay connection as well as tripping in the event of overcurrent. These relays are operated, automated and managed by the Siemens DIGSI 4 software, which supports the relays in the retrieval of “processed information.” Testing The testing of our SCADA system was progressive over the course of our project as we completed each goal or “phase.”   Our first goal after setting up and configuring our network was to be able to open and close a circuit breaker from the control center. Correct operation of the switching command was confirmed by an LED light on the relay that indicates the relay circuit as being open or closed. The next objective was to integrate a resistive load into the system. Attaching a load to a relay allowed us to observe live, real-time current on the system. We could then observe the amperage value sensed by the relay. When this was achieved, we set up overcurrent tripping on the relays. The goal was to configure the relays to break their circuit or “trip” in the event of current passing through the relay surpassing a set threshold. We tested this by attaching a variable resistive load to the. Correct operation was verified by noting whether a relay “tripped” when subjected to an overcurrent. Our last exercise was to attempt to disrupt communication between the control center and the remote “sub-stations” (RTU and relay). Using the technique of ARP poisoning we were able to execute a Man-in-the-Middle attack by inserting a computer between the control center and a sub-station RTU. We filtered out command requests to open and close the relay circuit. To test this attack we attempted to open and close the relay from the control center but the relay reported no change in the status of the circuit. Network Layout Relays Wireshark Analysis Summary Our senior design team successfully met all of our goals for implementing and configuring our SCADA network testbed for use in attack-defense testing and impact analysis.   During the course of our project we were successful in accomplishing all of our goals. First, we successfully set up and configured our SCADA network so that all devices and systems were able to communicate with each other. Second, we integrated the SCALANCE S612 security cells into our network to provide an encrypted point-to-point VPN connection between security cells. Third, we were able to remotely open and close our relay circuit breakers. Fourth, we successfully integrated an actual resistive load into our SCADA system along with implementing circuit breaker tripping in the event of an overcurrent detection. Lastly, we were able to compromise the operation of the SCADA system using a Denial of Service attack and a Man-in-the-Middle attack. The scope of our project was limited to simple attacks performed local to the SCADA network. Further work could be done to develop more sophisticated attacks and attacks that can be carried out remotely. Better understanding and management of the software systems and devices within the system would benefit not only the operation of the system but also allow for a more in depth security evaluation. Team Members: Justin Fitzpatrick (EE) Ben Kregel (EE) Faculty Advisor / Client : Manimaran Govandarinsu Website: http://seniord.ece.iastate.edu/may1013 Michael Higdon (CprE) Rafi Adnan (EE)