CYBER SECURITY OF SCADA SYSTEMS TESTBED

Transcription

1 10/12/2010 SDMAY11/11 CYBER SECURITY OF SCADA SYSTEMS TESTBED Project Plan Tony Gedwillo, James Parrott, David Ryan

2 TABLE OF CONTENTS Problem statement... 4 System overview... 4 System Description... 4 Conceptual Diagram... 5 Market and Literature Survey NSTB... 5 NERC... 6 US-CERT CSSP... 7 Operating environment and Technology Considerations... 7 Siemens SCALANCE S612 Security Module... 7 Siemens SIPROTEC 4 7SJ61 Relay (Sensor)... 8 Siemens Spectrum Power TG SCADA/EMS (HMI)... 8 Siemens SICAM PAS v6.00 (RTU)... 8 Siemens DIGSI Virtualization Software... 9 Vulnerability assessment software... 9 Expected Project Deliverables... 9 Virtualized test bed... 9 Vulnerability assessment and fixes... 9 physical representation of relay outputs Requirements Functional Requirements Virtualization Cyber security Power system integration Non-functional Requirements... 11

3 Optional Requirements Work plan Tasks Schedule Risks Mitigation of Risks Resource Requirements Personnel Hardware Project Milestones and tracking Software and Facilities Client Information Client and Faculty Advisor Student Team Members References... 16

4 PROBLEM STATEMENT Supervisory Control and Data Acquisition (SCADA) systems are the nervous systems for the body of our country s infrastructure. This body includes many systems that are vital to the function of our society: power, water, natural gas, oil, and road traffic systems among many others. However, the nervous systems (SCADA systems) that control our infrastructure are currently vulnerable to cyber-attack. Since the mid-1990 s, security experts have become increasingly concerned about the threat of malicious cyber attacks on the vital supervisory control and data acquisition (SCADA) systems used to monitor and manage our energy systems. Most SCADA system designs did not anticipate the security threats posed by today s reliance on common software and operating systems, public telecommunication networks, and the Internet. [1] Our goal is to improve the cyber security of SCADA systems by making our own SCADA test bed, where we can simulate power systems and the communication protocols they use, and attempt cyber attacks on our systems. Through this process, we can test vulnerabilities of commercial SCADA protection products report their vulnerabilities. We can also demonstrate the effects a SCADA cyber attack can have on a power system. We will be improving the test bed created by the previous year s team. We will be adding virtualization, power flow analysis, and more advanced cyber-attacks. SYSTEM OVERVIEW SYSTEM DESCRIPTION A SCADA system can be separated into these 4 components: Control Center Usually consists of a Human-Machine Interface (HMI) by which a human operator can view process data and control that same process Supervisory Station This element consists of the servers, software and stations responsible for providing communication between the Control center and RTU s Remote Terminal Unit (RTU) Typically connected to physical equipment. Used to convert electrical signals from hardware sensors to digital data which is collected by the supervisory station Sensor A device that measures an analog or status value in some element of a process, a sensor collects the raw process data used to make decisions about a process

5 CONCEPTUAL DIAGRAM Human Machine Interface 1 Human Machine Interface 2 DTS Control Center Scalence Remote Workstation Internet Web Access Substation 1 Scalence Substation 2 Scalence Substation 3 Firewall Substation N Firewall Relay 1 Relay 2 Relay 3 Relay N SICAM 1 SICAM 2 SICAM 3 SICAM N Proposed Virtualized Substations MARKET AND LITERATURE SURVEY 10 NSTB The National SCADA Test Bed (NSTB) is a nation effort focused identification and mitigation of new and existing security vulnerabilities in SCADA systems as well as raising awareness of control system security, specifically within the energy sector. The NSTB is a special collaboration between both public and private sector entities representing the energy sector and equipment vendors. The primary goals of this effort, as listed by the NSTB, are to: Raise industry awareness of system vulnerability issues and mitigation techniques Collaborate with industry to identify, assess, and mitigate current SCADA system vulnerabilities Work with industry to develop near-term solutions and risk mitigation strategies for existing systems Develop best practices as well as next-generation architectures for intelligent, inherently secure and dependable control systems and infrastructures Support development of national standards and guidelines for more secure control systems

6 These research goals are geared towards answering and satisfying the problem and need statement of this project as well as industry need. One of the primary functions of the NSTB program is to provide control system security assessment of industry hardware and software SCADA systems and associated devices. Typically, the NSTB will develop an agreement that defines a working relationship with an intended industry partner. The NTSB will then obtain and setup any equipment or software that is intended for testing. After the test bed has been setup and configured, using the industry equipment, the NSTB will perform test to identify possible cyber security vulnerabilities within the SCADA system. At this point a test evaluation report is created for the industry partner that assesses and presents the results of the cyber security tests performed on the system. NERC The North American Electricity and Reliability Corporation (NERC) is an organization focused on development and enforcement of reliability standards in power systems. In 2007 the Federal Energy Regulatory Commission (FERC) granted NERC the legal authority to enforce reliability standards on all bulk power system users, owners, and operators within the US. With this authority NERC made compliance with NERC reliability standards both mandatory and enforceable. While it is only one aspect of NERC s operations, currently the NERC Critical Infrastructure Protection (CIP) program is coordinating with the energy sector to evaluate and provide standards to improve and protect critical infrastructure against physical and cyber-attack. The key efforts to support of this goal include: Standards development Compliance enforcement Assessment of risk and preparedness Disseminating critical information via industry alerts Raising awareness of key issues The Critical Infrastructure Protection (CIP) program maintains and updates a set of standards known as the CIP Reliability Standards; industry systems which meet or comply with the CIP standards are known to be CIP- Compliant. Dissemination and enforcement of these standards is performed by NERC and it is through enforced compliance with these standards that increased security within energy critical infrastructure can be achieved. CIP reliability standards include: CIP Sabotage Reporting CIP Critical Cyber Asset Identification CIP Cyber Security Critical Cyber Asset Identification CIP Security Management Controls CIP Cyber Security Security Management Controls CIP Personnel & Training CIP Cyber Security Personnel & Training CIP Electronic Security Perimeter(s) CIP Cyber Security Electronic Security Perimeter(s) CIP Physical Security of Cyber Assets

7 CIP Cyber Security Physical Security of Cyber Assets CIP Systems Security Management CIP Cyber Security Systems Security Management CIP Incident Reporting and Response Planning CIP Cyber Security Incident Reporting and Response Planning CIP Recovery Plans for Critical Cyber Assets CIP Cyber Security Recovery Plans for Critical Cyber Assets Another aspect of NERC s CIP program is the Electric Sector Information Sharing and Analysis Center (ES-ISAC) is responsible for dissemination of critical information regarding infrastructure protection to industry partners and participants. The information provided by ES-ISAC includes vulnerability alerts, protection strategies and threat levels. US-CERT CSSP The focus of the United States Computer Emergency and Response Team (US-CERT) is to provide response support and defense against cyber-attacks for the Federal Civil Executive Branch as well as collaboration and information sharing with state, local, industry and international partners. The US-CERT has coordinated with the Department of Homeland Security Nation Cyber Security Division (DHS NCSD) to reduce risk in critical infrastructure through the join Control System Security Program (CSSP). In addition to assessing and reducing risk in critical infrastructure the CSSP coordinates activities to reduce the success and impact of attacks against critical infrastructure control system through various risk-mitigation activities. Most of the efforts of the US-CERT CSSP are focused towards dissemination of critical information regarding security threats and vulnerabilities and development of recommended security best practices in collaboration with industry experts through the CSSP workgroup. Other tools offered through the US-CERT CSSP include training courses geared towards control system security, the Cyber Security Evaluation Tool (CSET) used to assess control system and IT network security practices, and numerous documents pertaining to cyber security best practices, common vulnerabilities, and case studies. OPERATING ENVIRONMENT AND TECHNOLOGY CONSIDERATIONS Our SCADA network test bed consists of a few key pieces of hardware and software: Hardware o Siemens SCALANCE S612 Security Module o Siemens SIPROTEC 4 7SJ61 Relay (Sensor) Software o Siemens Spectrum Power TG SCADA/EMS (HMI) o Siemens SICAM PAS v6.00 (RTU) o Siemens DIGSI (Software for SIPROTEC Protection Relays) o Virtualization Software o Vulnerability Assessment Software SIEMENS SCALANCE S612 SECURITY MODULE SCADA systems operate across large distances and are required transmit process information across Wide Area Networks (WANs). It is therefore important to employ some sort of protection method to ensure the integrity

8 and confidentiality of this data. The SCALANCE S612 Security Module is used to provide point-to-point data integrity and confidentiality within SCADA system networks by controlling data traffic to and from SCALANCE S612 cells. These devices will be used within our SCADA system test bed to protect information being transmitted between our SCADA control center and substation RTUs across Wide and Local Area Networks. This device, developed by Siemens, is designed to provide data protection to and from the SCALANCE cell by being connected upstream from the devices to be protected. The SCALANCE device solves the problem of security rule and configuration checks that hinder the transmission and use of information in real-time by encrypting and sending data transmissions in real-time. The SCALANCE S612 can protect up to 32 devices and supports a maximum of 64 VPN tunnels simultaneously. 2 SIEMENS SIPROTEC 4 7SJ61 RELAY (SENSOR) The SIPROTEC 4 7SJ61 Relay can be used to provide simple control of circuit-breaker and automation functions 3 and will be used in our SCADA system test bed to act as a sensor that performs our system s process data collection. The relays that will be used within our SCADA system will be operated and managed by Siemens DIGSI 4 software, allowing the operator implement customized automation functions via the relays integrated programmable logic (CFC). 3 SIEMENS SPECTRUM POWER TG SCADA/EMS (HMI) The Spectrum Power TG software is the supervisory control and data acquisition (SCADA) system within our test bed. It is also the Human-Machine Interface (HMI) by which a human operator can view data from and make decisions about a process. According to Siemens, this software is the most reliable, scalable, flexible, highly available SCADA system on the market and can be used to control various large scale infrastructures such as those of electric, gas, and water utilities and railways. This system is scalable from a single Substation/RTU to the world s largest control centers with a hierarchical system capable of linking in infinite number of systems. 4 SIEMENS SICAM PAS V6.00 (RTU) SICAM PAS (Power Automation System) is a piece of software used in conjunction with Spectrum Power TG software as a part of a SCADA system. The SICAM PAS software runs on and acts as a Remote Terminal Unit that is responsible for interpreting sensory data about a process and communicating this data to a control center running the Spectrum Power TG software. Siemens describes SICAM PAS as a computer-based information management system used to structure the diverse substation information and ensure that it is used efficiently. This software can be implemented in a distributed configuration, allowing the system to operate simultaneous on multiple systems. At the same time SICAM PAS acts as a gateway, requiring only one connection to higher-level control centers. 5 SICAM PAS can use existing hardware components and communication standards as well as their connections. 5

9 SIEMENS DIGSI 4 The Siemens DIGSI 4 software is used for configuration, operation and organization of Siemens SIPROTEC protection relays. This software will be used in this capacity to support the SIPROTEC Relays used in our SCADA system test bed to retrieve simulated process information. DIGSI 4 is considered Siemens easy-to-use and user-friendly solution for commission and operation of Siemens protection devices. This system integrates password protection to restrict access for different jobs only authorized staff. The DIGSI software allows for easy of use of PLCs with a graphical editor without any programming skills. 6 Additionally, DIGSI remote allows access to process data and event logs from a remote station when the location of a relay station may be far away. VIRTUALIZATION SOFTWARE In order to provide virtualized substations for the test bed, we will be using VmWare ESXi Hypervisor Operating System to host all the virtual machines. This OS is used by many companies for their virtual platform. It allows easy control over Virtual Machines by using a VSphere client to connect to the VmWare Server. VmWare ESX also has the ability for virtual machine templates. Meaning that we can setup a RTU the way we want and then we can deploy many RTU s from that one RTU. VULNERABILITY ASSESSMENT SOFTWARE We plan to use a variety of free and open source software to conduct our vulnerability assessment. As a starting point, we plan on using NMap, Wireshark, and the Backtrack distribution of Linux. Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. 7 Wireshark is the world's foremost network protocol analyzer, and is the de facto standard across many industries and educational institutions. It allows for deep inspection of hundreds of protocols, live capture and offline analysis of network traffic, and the most powerful display filters in the industry. 8 BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. BackTrack promotes a quick and easy way to find and update the largest database of security tools collection to-date. 9 EXPECTED PROJECT DELIVERABLES VIRTUALIZED TEST BED One of our goals is to have virtualized substations in the test bed. This will allow for scalability and ease of configuration for the test bed. The virtualized test bed will be delivered in April of VULNERABILITY ASSESSMENT AND FIXES

10 The main goal of this test bed is to find cyber-security flaws and find ways to fix them. Our plan is to first find exploits for the SCADA system, then assess the effect of the attack on the system and then finally provide fixes to the exploit. This will be an ongoing task and will be delivered at the end of the project, in May PHYSICAL REPRESENTATION OF RELAY OUTPUTS This is an optional deliverable, but we would still like to include it in our report. This physical representation of the relay outputs will take information from virtualized relays and then map them to a physical representation. We are thinking that we could have a map with LEDs to represent a real world power grid. This would help us demonstrate the test bed to those not familiar with the technology. If able to, we plan to deliver this in May REQUIREMENTS FUNCTIONAL REQUIREMENTS VIRTUALIZATION Create a virtualized platform that allows network stack inspection. o Creating a virtualized platform will be the basis of adding more substations to the current test bed. Since we are limited on financial resources, we are unable to purchase more SIPROTEC Relays and SCALANCE devices. We need a virtualized platform that will allow virtual substations that can connect to the physical test bed. We also need this platform to have the ability of network stack inspection in order for us to test cyber-attack scenarios. Create virtualized images for RTUs, Control Center, firewalls and Relays o In order to fully virtualize a substation, we will need to create virtual images for each segment of the substation. Creating a virtualized image for the RTU should be somewhat basic since it is a software application that runs on Windows. Creating a virtualized relay will be more difficult since it will require finding a relay simulator that can communicate with the RTU. We can use an open source firewall solution to simulate the SCALANCE firewalls. Virtualized system should be scalable to provide more realistic scenarios. o We want this system to be scalable to upwards of 30, if not more, substations. To be able to do this, we will first need to purchase and install a physical virtual host server with properly allocated physical resources. The substations should be deployed from the server. CYBER SECURITY Our analysis of vulnerabilities should follow industry s best practices. We plan on touring the MidAmerican Energy control center in Des Moines to see how they handle their security issues. We plan on investigating other industry practices, and modeling our system after commonly used industrial techniques. Additionally, attack scenarios should directly display power flow modification. POWER SYSTEM INTEGRATION Integrate DTS with current SCADA test bed

11 o We want to integrate our Dispatcher Training Simulator (DTS) in Spectrum Power TG into our test bed. The DTS has power flow analysis abilities, and we want to use these to model a system and make our cyber-attack scenarios more realistic. We need to figure out how the DTS operates and use that knowledge to integrate the DTS into our SCADA system in real time. Power Simulation should represent real world scenarios o We want to integration between the Power Flow Simulation of the DTS and the test bed to be able to represent real world scenarios. This will make the test bed more realistic and applicable to the world s SCADA systems. NON-FUNCTIONAL REQUIREMENTS We have a few minor requirements that we have deemed non-functional : Minimal configuration on virtual image deployment o We want our system to be easy to set up and analyze. We don t want to have to configure each of our virtual images individually. Images should have backups to prevent loss o We are currently using one external hard drive to accomplish this task, but we are looking into other solutions. Attack scenarios can be demonstrated without requiring detailed information on attack functionality o The simpler we make our system to operate, the easier it will be to demonstrate it to the Senior Design Review Board and others who wish to see a demonstration. All test equipment should function correctly Power flow system should be easily interpreted o Again, we want observers to understand what s happening in our system. If the casual viewer can t easily understand what s going on, they will lose interest. OPTIONAL REQUIREMENTS Power system should be represented physically o This will help observers quickly and easily understand the implications of a cyber-security attack. We are considering using a LED display to model transmission lines, substations, relays, generators, and loads. This LED display would make our SCADA system very easy to conceptualize, and it will make our system look more attractive and functional to observers. WORK PLAN TASKS We are focusing on three task area s for this project; Virtualization, Power Flow Integration and System Vulnerability Assessment. Below are the detailed tasks for each. Virtualization Test virtualization of substation on PC and make sure it integrates correctly.

12 Install and deploy physical server. Deploy and test virtual substations. Integrate with test bed. Develop physical representation of substation relays and integrate with test bed. Real-Time Implementation of Power Flow Software Network and software familiarization. Develop integration with physical test bed. Develop power system scenarios. Test the scenarios. System Vulnerability Assessment Research system and networking protocols Analyze network traffic. Create and test attacks. Assess the impact on the Virtualization and Power Flow components Provide fixes for attacks and make recommendations SCHEDULE Each team member is focusing on one of the specific areas as listed above. James is working on Virtualization, Tony is working on Power Flow Integration and David is working on Cyber Security Analysis. Each member will focus on their individual area with the main goal of providing better analysis of cyber security threats. Below is a Gantt chart of our work schedule. RISKS The primary risk, at least initially, is a lack of training on our part. This is a complex, industrial grade system that we are working on, and it requires a lot of training. Add to this the poor documentation that was sent with the system, and we have a very high learning curve. We also run the risk of breaking the system, or at least making it non-functional. This could happen through improper usage, most likely through uploading bad configurations to the equipment. It is also possible that we could corrupt the equipment with a successful attack.

13 A third possibility is finding that some of the equipment is malfunctioning. We have already had one of the software s USB authentication dongles go bad, which put s the software back into demo mode and lets it run for a maximum of three hours. MITIGATION OF RISKS We have hundreds of pages of manuals to learn from or to refer to if we have any questions. We also have access to some grad students who are familiar with the test bed, who will provide some much needed expertise to our project. We need to ensure that ensure that devices can be restored to a working configuration. As such, we need to make sure that we backup any and all working configurations. This way, if a configuration change seems to bring down the system, we can compare the current configuration against one that we are certain is valid. RESOURCE REQUIREMENTS PERSONNEL Labor for this project will be shared between the three project members. Given our project goals and tasks, we have estimated a total of hours we have to spend on this project. This will result in a total cost of $10,000-12,000 (at $20/hr). This is a heavily research and development dependent project and the SCADA software has an extremely high learning curve. In addition, we have an entire year s worth of research to catch up on. This means that the first few weeks will be spent primarily training. HARDWARE Since the test bed has already been established, there will be relatively few hardware expenditures. If we are able to successfully virtualize a network of substations, we intend to purchase a server capable of sustaining as large a virtual network as possible, though a good starting point is around 30 stations. We also want to make some upgrades to the physical representation of the power grid. Our initial idea is to add a map or an LED board to give a more visual representation of the network status. PROJECT MILESTONES AND TRACKING This project has multiple milestones in the progress of the tasks. For the virtualization segment, there are two milestones. The first milestone is being able to prototype a complete virtual substation connected to the test bed. The second milestone is connecting many, upwards of 30, substations to the test bed. In the Real-time Simulation of Power flow, there are also two milestones. The first milestone is to be able to integrate real time simulation into the test bed. The second is to simulate real-world scenarios with the test bed. In regards to the Cyber-Security Analysis part of the project, no milestones were made, but this part is an ongoing cycle of testing an attack, assessing the attacks effects and providing mitigation of attack. SOFTWARE AND FACILITIES

14 The software costs will be zero. The Siemens SCADA software is already present, the VmWare s virtualization software has a free license option, and any security auditing tools we will be likely to use are free and open source. CLIENT INFORMATION Personnel hours $10,000-$12,000 Hardware Virtualization Server $3000-$10,000 Power System Physical Representation $ SIPROTEC 4 7SJ61 Relay s $0 SCALANCE S612 Security Module $0 Software Spectrum Power TG SCADA/EMS (HMI) $0 SICAM PAS v6.00 (RTU) $0 DIGSI (Relay Configuration) $0 VmWare ESXi $0 NMap $0 Wireshark $0 BackTrack Linux $0 Total $13,100-$22,200 Table 1: Budget estimate CLIENT AND FACULTY ADVISOR Manimaran Govindarasu 3227 Coover Hall Ames IA gmani@iastate.edu STUDENT TEAM MEMBERS Tony Gedwillo 6212 Frederiksen Ct Ames, IA gedwillo@iastate.edu James Parrott 416 Ash Ave Ames, IA jparrott@iastate.edu David Ryan 2304 Wallace Rambo Ames, IA drryan50@iastate.edu

15

16 REFERENCES 1) 2) 3) 4) 5) 6) 7) 8) 9) 10) Market and Litureature Survey information taken from previous senior design team May1013