Cyber-Physical System Security of Smart Grid

Transcription

1 Cyber-Physical System Security of Smart Grid Manimaran Govindarasu Dept. of Electrical and Computer Engineering Iowa State University, USA Presented at NSF-ECEDHA Energy and Power Summer Program, Georgia Tech, July 9, 2011

2 Presentation Outline Intro. to cyber systems and security Cyber attacks on power grid Risk assessment 4 Control systems security 5 6 SCADA Security Testbed Conclusions Page 2

3 Characteristics of Secure System Confidentiality: - Message content should be accessed by authorized users only - Achieved by using encryption Integrity: - Making sure that message was not altered (in transit, or later) without detection - Achieved by using hashing Availability: - services must be accessible and available to authorized users Authentication: - Sender, receiver want to confirm identity of each other - Achieved by using d Non-Repudiation: - The actual sender can not claim that he did not send the message - Achieved by using digital signature

4 Security Threats Interruption: preventing messages from reaching authorized users Interception: getting access to the message content Modification: altering the message content Fabrication: injecting fake messages A B Replication: re-sending previously sent message Infrastructure attacks: many forms: protocol attacks, intrusions, DoS

5 Security threats/characteristics mapping Security Threat Interruption Interception Modification Fabrication Replication Characteristics affected Availability Confidentiality Integrity Confidentiality Availability Availability Authentication Authentication Availability

6 Internet operation Functional & Attack View DoS hack DNS Server Intra-domain routing Interruption Fabrication DoS attacks Routing table poisoning Destination Packet Mistreating Src Dst NxtHop (Routing Table) Protocol attacks Page 4

7 Securing the Cyber systems is difficult Open and interoperable protocols - while desirable, tend to work against security. Security vs. performance tradeoff - performance was usually preferred Security is expensive - special resources are needed to support it Security vs. usability tradeoff - security often complicates things Attackers enjoy breaking into a system - Some people see circumventing security as a challenge and enjoy doing it Cyber Infrastructure is vulnerable - Most systems and networks were not designed with security concerns in mind

8 Cyber Threats to Critical Infrastructures Cyber-Based Attacks Protocol Attacks Routing Attacks Intrusions Worms / Spyware/ Malware Denial of Service (DoS) Insider Threats [General Accounting Office, CIP Reports, 2004 to 2010]; [NSA Perfect Citizen, 2010]: Recognizes that critical infrastructures are vulnerable to cyber attacks from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and other malicious intruders. Page 8

9 Statistics of Cyber Vulnerability Total vulnerability: 39,490 (Up-to-date) Statistics From US CERT Total Vulnerabilities Cateloged Page 9

10 Distributed Denial of Service Attack (DDos) - e.g., Botnets Slave (zombie) Slave (zombie) Slave (zombie) Master Attacker Slave (zombie) 2. The master installs attack code on slave machines, also called (zombies). 1. Attacker compromises attack machine (the master). Victim 3. Slaves are instructed to flood the victim with packets holding spoofed IPs Slave (zombie) Slave (zombie) Slave (zombie) Page 10

11 Reflector DoS Attacks (stepping stone) Reflectors Reflectors send send their their replies replies to to the the victim victim Reflectors Attacker Attacker compromises compromises attack attack machine machine (the (the master) master) The The master master installs installs attack attack code code on on slave slave machines, machines, also also called called (zombies) (zombies) Attacker master Victim victim s address in the source address field of each Slave (zombie) request. Zombies Zombies are are instructed instructed to to continuously continuously send send spoofed spoofed requests requests to to large large set set of of Internet Internet reflectors reflectors Page 10

12 How an intrusion happens? 1. Try now 2. If it does not succeed, try again 3. And again Hacking is a trial and error process Page 12

13 The Intrusion Process Steps to penetrate into a network involve: Footprinting Identification of organization s security posture locations of the substations, control centers, or generating units IP addresses and address of the utility company Scanning Exhaustively identify the possibilities access points Access points: Wireless connection, LAN, VLAN, VPN, and Tools: War dialing or Traffic sniffer Enumerating Listing all active ports available on a target IP address Tools: Password guessing: Dictionary, brute-force, social engineering Exploit! This is where an attacker got lucky! But we do not want them to be lucky Page 13 Unfortunately, automated software tools are available online

14 /167 Information Security Vs. Infrastructure security Information Security Infrastructure Security Scope Information Protection Message Confidentiality Message Integrity Message Authenticity Infrastructure protection Routers Servers Links Protocols Service availability Approach Encryption/Decryption Digital signature Message Authentication Codes Public Key Infrastructure Traffic Monitoring Statistical analysis Authentication Protocols Secure Protocols Secure Servers Our very way of life depends on the secure and safe operations of critical systems that depend on the cyberspace [Richard Clarke, NSTAC 2002] Page 14

15 Presentation Outline Intro. to cyber systems and security Cyber-power systems & cyber attacks Risk assessment 4 Control systems security 5 6 SCADA Security Testbed Conclusions Page 15

16 Electric Power Grid: A Cyber-Physical System Source: Page 16

17 Security layers of power grid Internet security Intranet security Computer Dynamic Voltage Overload security security security security Power System Security Zone Cyber Security Zone Page 17

18 SCADA control network Page 18

19 Substation automation SCADA Modems Remote Users Substation Computer Back-up master N I M N I M N I M Data Collection LAN N I M N I M N I M N I M N I M Control LAN I/O Node I/O Node Digital Meter Protectiv e Relay PMUs IEDs SUBSTATION I/O SOURCES Circuit Breakers Switches Capacitors Batteries Electro-Mechanical Devices Transformers Page 19

20 Cyber Incidents on SCADA Systems : Salt River Project, an electricity and water provider in Phoenix, was hacked 1997: A teenager shuts down the air-traffic control room of a local MA airport 1997: The US DoD asks NSA to test safety of power supply going to US military bases 1999: Russian hackers took control of a pipeline for 24 hours 2000: Disgruntled Australian employee hacks wastewater SCADA system 45 times and dumps 264,000 gallons of sewage in the city s parks and rivers 2001: California ISO affected by a software exploit in Solaris, for 17 days 2002: Captured Al-Qaeda laptops reveal critical data to hack the US power grid 2003: Slammer worm crashes Davis-Besse nuclear power plant, OH, for 5 hours 2003: Slammer worm penetrates a major SCADA network through a VPN connection 2003: Major blackout in northeastern US (software bugs: a contributing factor) 2010: Stuxnet worm targeted nuclear power plant operation Iran, worldwide Page 20

21 Cyber threat to power grid are real CIP Report, General Accounting Office, March 2004 There has been a growing recognition that control systems are now vulnerable to cyber attacks from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and other malicious intruders Repository for Industrial Control System (RISI) incident report, March # industrial cyber incidents has been stable, expected to rise - Power and utilities: 13 reported incidents in the last 5 years (30% increase from previous 5 years; Total: 28 incidents) McAfee report [2010] In the Crossfire: Critical Infrastructure in the Age of Cyber War - Shows similar data and increase in cyber incidents The problem is that IT people don t understand SCADA and SCADA people don t understand security [Gary Sevounts, Director, Symantec] Page 21

22 Cyber Threats to Critical Infrastructures Cyber-Based Attacks Protocol Attacks Routing Attacks Intrusions Worms / Spyware/ Malware Denial of Service (DoS) Insider Threats Page 22

23 Intrusion Scenarios The Processes of Hacking: Footprint, Scan, Enumerate, and Exploit Page 23 Step 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: Searching Once Sniff Another Using A Found Upon new NMap IP the successful VPN way network addresses, wireless Substation for to connections dial-up discover get upon logon access into found , SCADA or successful to the to wireless other point through control Scan intranet firewall system. intranet, is , the connections found, logon machines center is information; ports through Use to sniff try intranet, are , the password to ( , the dial-up of login alive intranet this utility local sniff and using reveals use network. guessing traffic through the found , scanning default network and configurations it For footprinting wireless program is determine password used instance, and programs and gather access for to ). logon of GPS footprinting. if war-dialing (e.g., the IP Attempt IP points. netcat) firewalls. techniques. programs communication. if addresses. connection to it logon is password Determine to using By check by is Determine doing knowing are secured password protected. for also the so, available number determined. a with the remote guessing prefix ports passphrase. ports of IP of are IP utility programs address These are alive alive. phone and IP is in addresses Use if found attempt these number. password intranet. to are to possibly are Password-guessing logon password scanned cracking using log on protected. password to program to determine other programs to intranet guessing the are ports hack using used program the if are windows the if system. alive these access / terminal listening. are point password user is password interface protected. protected.

24 Coordinated attacks - smart attacks Attack at these substations Page 24

25 Attack Classification Cyber Attacks on Critical Infrastructures Coordinated Attacks Isolated Attacks Intelligent Coordinated Attacks Brute-force Coordinated Attacks Brute-force Isolated Attacks Intelligent Isolated Attacks Page 25

26 Presentation Outline Intro. to cyber systems and security Cyber attacks on power grid Risk assessment 4 Control systems security 5 6 SCADA Security Testbed Conclusions Page 26

27 Electric Grid - Control Center Environment Power System Operations Control Center ISO Operating Center Generation Control Center (Generators) Office Intranet EMS DMZ F EMS System Primary Control Area F ISO DMZ F Transmission Substation Automation (Buses) Distribution Substation Control (Loads) WAN Office Intranet F EMS DMZ WAN EMS System F Backup Control Area WAN F ISO DMZ Page 27

28 Critical Cyber Asset Identification - Energy Management System (EMS) in Control Center - Distribution Management System (DMS) - Process Control System (Power Plants) - Substation Automation System (SAS) - SCADA Control network Page 28

29 Multilevel Security Enforce appropriate security properties - Confidentiality, Integrity, Availability, Authentication, Access control, and Non-repudiation. System level security User-level security - Password management, privilege levels, training, Operating System (OS) security - Access control, security policies, patch management, database security, system management Network level security - Firewall, intrusion detection, protocol security, session security Page 29

30 NERC CIP Standards Focuses on Accounting Polices and procedures Governance Critical Asset inventory Information Classification Change control Training & Personnel Risk management Focuses on Access control Network management Systems management Incident Response Recovery Vulnerability Assessment Physical Security What to do, but not how to do? NERC Cyber security standards generally take IT security concepts and apply them to control networks and systems BUT, the underlying physical system has real-time dynamics, which needs to be accounted Cyber-Physical Systems Security Page 30

31 Info. Vs. Infrastr. vs. Control system security /167 Information Security Infrastructure Security Control Systems Security N E E D S Information Protection Message Confidentiality Message Integrity Message Authenticity Infrastructure protection Routers DNS servers Links Internet protocols Service availability Generation control apps. Transmission control apps. Distribution control apps. Real-Time Energy Markets M E A N S Encryption/Decryption Digital signature Message Auth.Codes Public Key Infrastructure Traffic Monitoring Statistical analysis Authentication Protocols Secure Protocols Secure Servers Robust Control Algorithms Model-based Algorithms - Anomaly detection - Intrusion Tolerance - Bad data elimination Risk modeling and mitigation Cyber Attacks: Deter, Prevent, Detect, Mitigate, be Resilient, Attribution Page 31

32 Risk Modeling and Mitigation Framework Risk = Threat x Vulnerability x Impacts Risk Assessment & Risk Mitigation (GAO CIP Report, 2010) Security Investment Analysis System Vulnerability Scenario Vulnerability Access Point Vulnerability high risk low risk Page 32 Hierarchical modeling

33 Risk Modeling Framework Anomaly Detection Impact Analysis AB C D AECFAB A Real-Time Monitoring Responses Page 33

34 Risk Management Proactive (offline) Define system model Proactive/Reactive (online) Real-time monitoring Define attacker model Risk assessment Sensitivity analysis Security enhancements Cost-benefit analysis Anomaly detection Intrusions DoS attacks Timing attacks What if scenario analysis Impact analysis (risk modeling) Real-time mitigation Page 34

35 Presentation Outline Intro. to cyber systems and security Cyber attacks on power grid Risk assessment 4 Control systems security 5 6 SCADA Security Testbed Conclusions Page 35

36 The SCADA Network: Control system view Control Center Schematic Control System Schematic Page 36

37 Control System Attack Modeling Control Signal Cyber System Man-in-the-middle attacks Data integrity attacks Denial of service attacks Timing attacks min max [ t), ( t) ] z^ i ( z^ i Physical System min max yˆ ( t), yˆ ( t ) i i Sensing Signal Signal Integrity Attack DoS Attack Duration of the attack τ = A [ ] t, s t e Page 37 Y. Huang, A. A. Cardenas, S. Sastry, Understanding the Physical and Economic Consequences of Attacks on Control Systems, Elsevier, International Journal of Critical Infrastructure Protection 2009.

38 Cyber Attacks on Wide Area Monitoring and Control Man-in-the-middle attacks Data integrity attacks Denial of service attacks Timing attacks Frequency control Voltage control Stability control Page 38

39 Real-Time Control Loops in the Power Grid Page 39

40 Automatic Generation Control (AGC) Area 1 Control Center Frequency and Tie-Line Flow Measurements Control Action Area 1 Power System Tie-Line Flow Area 2 Control Center Control Action Frequency and Tie-Line Flow Measurements Area 2 Power System Page 40

41 Balancing Authorities in the U.S. Page 41 Source: NERC

42 The AGC Algorithm Page 42 Inputs to AGC algorithm: Frequency deviation Δf, Net tie-line flow ΔP i

43 Simulation - Results An intelligent attack involves manipulating tie-line flow and frequency Attack-impact Results (2 control area test system) Parameter Before Attack After Attack Frequency (Hz) Tie-Line Flow from Area 1 (pu) Unit 1 Generation change (pu) Generation- Demand Imbalance (pu) S. Siddharth and G. Manimaran, Data integrity attacks and their impacts on SCADA control system IEEE PES General Meeting, Page 43

44 Voltage Control Loop - FACTS 1. Connected to Transmission Network 2. Inject/Absorb Reactive Power 3. Remotely Controlled S. Siddharth and G. Manimaran, Data integrity attacks and their impacts on voltage control loops, IEEE PES General Meeting, 2011.

45 Voltage Control Loop - FACTS Attack Vectors (*) - Denial of Cooperative Operation among FACT devices - Desynchronization (timing-based attack) - Data injection (data corruption/duplicate) Sample Attack: Bad data injection Effect: Incorrect reactive power injection/absorption into the network Impact: Voltage criteria violation * Source Critical Infrastructure Protection, Eric Goetx and Sujeet Shenoi, Springer 2009

46 Presentation Outline Intro. to cyber systems and security Cyber attacks on power grid Risk assessment 4 Control systems security 5 6 SCADA Security Testbed Conclusions Page 46

47 SCADA Security Testbed C A C A F ABC D ABC D E ABC D E F F F Page 47 E F E E E F

48 Spectrum Power TG Control Center Managing databases Establishing communications Monitoring current or voltage levels, trip breakers. Analog telemetry from relays Binary statuses for breakers Page 48

49 Substation: RTU, Firewall, Relay, Load SICAM PAS RTU Scalance security device Siemens DIGSI 4 (over current relay) with Resistive load Page 49

50 Cyber-Physical Security Testbed: SCADA + ISEAGE + RTDS DTS Primary Control Intranet Backup Control Control Center SCADA Server WAN Remote Station RTU RTU IED IED RTDS (Real-Time Digital Simulator) Page 50

51 Testbed - Security Testing Nmap - Port scanning - Communication Port Wireshark - Packet capture - DNP 3.0 Protocol - Relay Open/Close request packet Attack-defense studies - Denial of Sensor measurement (Substation Control center) - Denial of Control (Control center Substation) - Cyber-Physical Impact Analysis & Countermeasure evaluation

52 Presentation Outline Intro. to cyber systems and security Cyber attacks on power grid Risk assessment 4 Control systems security 5 6 SCADA Security Testbed Conclusions Page 52

53 Conclusions (1) Cyber security threat to power grid is real! Increasingly important in the emerging smart grid Vulnerability exists in critical SCADA systems - SCDA, RTU, IED, EMS, etc. - ICCP, RTU-SCADA link, comm. Ports - Access control mechanisms, patch management, etc. Electronic security policy, Best practices - Electronic security perimeter - IDS/IPS, firewalls, anti-virus software - Incidence notification, response, and analysis - Recovery contingency plans - Security Systems Engineering Page 53

54 Conclusions (2) Cyber-Physical System Security = IT Security + Real-Time Control + System Dynamics (+ Safety issues) R&D Issues - Risk modeling and mitigation - Intrusion prevention, tolerance, mitigation - Denial of service/control prevention and mitigation - Secure protocols - Security Systems Engineering - Simulation tools, SCADA-Security Testbeds and Studies Interdisciplinary R&D: Power System + Cyber Security Collaborative R&D: Industry-University-Regulatory bodies Education: University education, short courses, continuing ed. Page 54

55 Conclusions (3) Sample R&D efforts - US National Laboratories - Idaho National Laboratory (National SCADA Testbed) - Sandia National Laboratory - Pacific Northwest National Laboratory - Oak Ridge National Laboratory - US Department of Homeland Security (Control Systems Security Program) - Covers critical infrastructures SCADA, PCS, DCS - NERC CIP Standards - DoE Cyber Security Roadmap - DoE NASPInet initative Page 55 - Industry R&D efforts and security products - University research efforts - University of Illinois, Iowa State,, European universities, etc.

56 Thank you!!! Acknowledgements: National Science Foundation Electric Power Research Center, ISU