Electronic Security Perimeter Is this system air-gapped? No. But… it’s fiber optic. we own the network. we own the wireless network.
Electronic Security Perimeter Is this system air gapped? What is this? Leased line from phone company? Does the utility sell BW to 3 rd parties? No.
Common configuration DMZ Enterprise Network Control Room Outstation WWW
Can malware infect the control room or outstation? DMZ Enterprise Network Control Room Outstation WWW Yes
Can malware infect the control room or outstation? DMZ Enterprise Network Control Room Outstation WWW Yes
What about serial? RS-232/485 Stuxnet
Take aways Industrial control system networks are not commonly air gapped, though the control system engineers may think it is. Industrial control systems can be infected by malware. Electronic security perimeter alone is insufficient. Need a defense in depth approach.
Network Intrusion Detection for Industrial Control Systems Physical Wireless IDS Not much at this level Network, Transport Detect well known attacks ○ Tear drop, LAND, port scanning, Ping Common protocol rules ○ TCP, IP, UDP, ICMP Application Layer Detect protocol mutations Detect protocol specific DOS attacks Model Based IDS to detect system level attacks ○ measurement injection ○ command injection ○ system state steering Physical Data Link Network Transport Application
MSUTommy Morris Relay CT Transmission Line Network Short circuit Router Relay tripped
Causal Network Graphs for Intrusion Detection Map power system scenarios to a graph with Nodes representing a set of time ordered measureable events Multiple existing sources of data Unique path through graph for each scenario Classify events real time
Causal Network Graphs for Intrusion Detection – Case Study Power system events Over current fault – high current -> open breaker Remote trip – operator remotely opens breaker for maintenance Local trip at face plate – technician trips relay at the face plate Cyber Events - threats command injection attack to remotely trip the relay man-in-the-middle (MITM) attack on synchrophasor system (I=0) man-in-the-middle (MITM) attack on synchrophasor system (I>I trip )
Measureable Events Relay breaker status Energy Management System (EMS) Command from EMS to remote trip Synchrophasor system measurements current measurements (60 samples per second) Snort network signatures detect network message to trip the relay
Bayesian Network Graph -> Causal Event Graph Relay SnortEMS I H, Sn, RT I N, Sn, RT I H, Sn, RT Breaker open Breaker closed ININ I0I0 IHIH I H, Sn, RT fault command injection remote trip MITM I PMU >I Trip
Causal Event Graph Signatures I H, Sn, RT Breaker open I0I0 1) Fault I N, Sn, RT Breaker open I0I0 2) Command Injection I N, Sn, RT Breaker open I0I0 3) Scheduled Trip I 0, Sn, RT Breaker closed I0I0 4) MITM Attack I=0 I H, Sn, RT Breaker closed IHIH 5) MITM Attack I>I Trip I N, Sn, RT Breaker open I0I0 6) Local Trip time Hand mapped the signatures to a custom intrusion detection program.
Laboratory Validation – proof of concept B1B2 R1R2G1 BR1 BR2 L L1 Attack Detection Program EMS logsSnortRelay logs Synchrophasor Measurements RTDS Simulation Implemented each scenario Data loggers to capture measurements Offline intrusion detection program Successful classification of all scenarios
Future Work Causal Event Graphs Scale to more realistic systems Breaker and half Relay coordination Expanded relaying scheme support Real time IDS Move from Boolean to probabilistic IDS Automate graph to IDS signatures Measure accuracy and computational cost
EMS PDC Historian Eng’g Analysis PMU PDC PMU Transmission Line Network PMU PDC PMU *not shown (the 3 circuits above are part of an interconnection).
Syncrophasor System Equipment Phasor Measurement Unit (PMU) Synchronized phasor measurements 1uS synchronization, IEEE 1588, GPS 3-phase voltage phasors, current phasor Phasor Data Concentrator (PDC) Concentrate PMU streams Detect missing data Interpolate for missing data IEEE C > IEC
Snort Rules for Synchrophasor Systems Synchrophasor systems being installed across country by utilities with ARRA grants Improved electric grid visibility ○ Detect disturbances sooner Wide area protection ○ React to disturbances quickly to limit outage IEEE C Synchrophasor Network Protocol Need to develop Snort rules to Protect against IEEE C protocol mutation type attacks Detect reconnaissance, DOS, command injection, and measurement injection attacks
Snort Rules for Synchrophasor Systems – Protocol Mutation 2Frame Type Check Stand-aloneSYNC[0]{6:4} != (0, 1, 2, 3, 4) 10Polar RangeMulti- packet ConfigFrame: (FORMAT[0]{1} == 0 && FORMAT[0]{0} == 1) && DataFrame: (PHASORS[0:1] (Polar angle) > 31,416) || (PHASORS[0:1] (Polar angle) < -31,416) 11Data Frame size check Multi- packet EXPECTED FRAMESIZE != ACTUAL FRAMESIZE Simple check – is this a legal frame? Does the polar range in the data frame match the description in the configuration frame? Does the frame size match the frame size calculated from examing the configuration frame?
Retrofit SNORT Intrusion Detection for Industrial Control Systems MTU pump relief pipeline RTU control logic Set Point System Mode Control Scheme Pump Override Relief Override PID Setpoint PID Gain PID Reset PID Rate PID DB PID CT Output Pump State Relief State Pressure tap Detect Attacks Command Injection Measurement Injection Reconnaissance Denial of Service Snort
Snort Protocol Rules for MODBUS Reviewed specification and developed a fuzzing framework. Using fuzzing framework to guide rule development. ○ Rules for specific frame types ○ Function codes in frames define payload contents ○ Rules based upon relationships between frames query and response must match ○ Response special cases – exception frames match defined exceptions to query function code and error types
Cybersecurity Testing and Risk Assessment for Industrial Control Systems Denial of Service Known attacks High volume traffic Protocol mutation Device Security Assessment Security features Standards conformance Port scan Vulnerability scan Confidentiality, Integrity Password confidentiality Password storage Man-in-the- middle Many vulnerabilities identified and communicated to vendor and project partner. All addressed Firmware fixes New security features System architecture changes
Identify vulnerabilities, implement attacks, investigate impact on physical systems. Develop security solutions; system protection, intrusion detection, attack resilience Train engineers and scientists for control systems security careers. Cyber Security Industrial Control Systems Critical Infrastructure Protection Center
Read Sprabery BS CPE Power System Cybersecurity Drew Richey MS ECE Ladder logic to Snort Rules Uttam Adhikari PHD ECE Power System Cybersecurity Wei Gao PHD ECE SCADA Intrusion Detection Shengyi Pan PHD ECE Power System Cybersecurity Tommy Morris Asst. Prof. Director, CIPC Industrial Control System Security David Mudd MS ECE SCADA Virtual Test Bed Quintin Grice MS ECE Relay Settings Automation Joseph Johnson BS EE Control Systems Lalita Neti MS ECE Relay Settings Automation