Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees

Transcription

1 Vulnerablty Assessment of Cyberseurty for SCADA Systems Usng Attak Trees Chee-Woo Ten, Student Member, IEEE, Chen-Chng Lu, Fellow, IEEE, Manmaran ovndarasu, Member, IEEE Abstrat By penetratng the SCADA system, an ntruder may remotely operate a power system usng supervsory ontrol prvleges. Hene, yberseurty has been reognzed as a major threat due to the potental ntruson to the onlne system. Ths paper proposes a methodology to evaluate the yberseurty vulnerablty usng attak trees. The attak tree formulaton based on power system ontrol networks s used to evaluate the system, senaro, and leaf vulnerabltes. The measure of vulnerabltes n the power system ontrol framework s determned based on exstng yberseurty ondtons before the vulnerablty ndes are evaluated. After the ndes are evaluated, an upper bound s mposed on eah senaro vulnerablty n order to determne the pvotal attak leaves that requre ountermeasure mprovements. The proposed framework an be extended to seurty nvestment analyss. Index Terms-- Attak Tree, Cyberseurty, Defense Systems, ower System Control, Seurty Vulnerablty. S I. INTRODUCTION INCE the September, 200 terrorst attak, the level of vglane has been rased to prevent attaks on power grds. Conventonal desgn of power systems does not provde a power system wth the proteton aganst yber attaks. The threats nlude sendng ontrol ommands va the supervsory ontrol system. Effets of a yber attak nlude loss of produton, degradaton of the onlne ontrol performane, and nablty to take preventve and orretve atons n tme. Damages aused by yber attaks an be atastroph. The wdespread nteronnetvty of the power system ontrol network poses sgnfant rsks to the naton s rtal operatons. Wthout proper ontrol of these omputer systems, ndvduals or organzatons may dsrupt the operatons from remote loatons for malous purposes []. Reent fndngs nlude plans of terrorsm to dsrupt the U.S. power grd [2]. Reent NERC dretves make t mandatory to undertake yberseurty vulnerablty assessment at the operator loatons and to take orretve measures [3]. The NERC seurty doument and ISO/IEC7799 Standard spefy gudelnes for yberseurty n power systems [3-]. In addton, omputer rme and seurty survey onduted by the Computer Seurty Insttute (CSI) ndated nadequate nvestment to seurty awareness tranng n utltes [6]. The lak of seurty awareness s nreasngly problemat as the yber attaks beome more sophstated. There have been novel ontrbutons to dentfy vulnerablty of yberseurty for a power grd. A testbed has been set up n [7] wth C.-W. Ten, C.-C. Lu, M. ovndarasu are wth the Eletral and Computer Engneerng Department, Iowa State Unversty of Sene and Tehnology, Ames, IA, 000 USA (e-mals: [email protected], [email protected], [email protected]). possble ntruson senaros to reognze and mtgate the effet of attaks. In [], a new threat s assumed n generaton ontrol that hakers ould aess to tamper wth the generator ontrol loop parameters. Ths may lead to destablzaton and trppng of rtal unts on the power grd. The ontrbuton of ths paper s an analytal method to measure the vulnerabltes of a ontrol enter and ts related omputer systems. An attak tree model s used as a framework to derve the quanttatve vulnerablty measures. otental ntruson senaros an be determned wth dfferent ombnatons of seurty breahes n order to penetrate the system. The penetraton may allow an ntruder to use SCADA ontrol apabltes to take undesrable atons, ausng serous damages. Ths paper provdes a systemat proedure to evaluate vulnerablty ndes. The remanng of ths paper s organzed as follows. Seton II provdes an overvew of attak tree modelng and ontrol enter networks. The attak tree modelng and methodology s desrbed n Seton III. Seton IV analyzes ntruson senaros n ase studes and provdes examples of a quanttatve vulnerablty analyss. votal attak leaves are determned by mposng an upper bound on the senaro vulnerablty. Seton VII s the onluson and future researh. II. ATTACK TREE MODELIN An attak tree s a graph that onnets more than one attak leaf from eah node [9-0]. An attak tree may onsst of a mult-level herarhy n a predeessor-suessor struture that aptures the possble ways to aheve sub-goals. The top node of an attak tree s the ultmate goal wth ombnatons of subgoals. Eah attak leaf may nlude one or more defense nodes that are dret suessors of the attak leaf. Defense nodes provde ountermeasures. In Fg. (a), the box labeled s a ountermeasure for attak leaf on the left sde. An attak leaf an be an element of dfferent ntruson senaros, dependng on the node onnetvty assoated wth t. The predeessors of eah attak leaf are nodes that are attrbuted wth log operators AND or OR. Eah predeessor node s spef for the gven leaf node. Fg. shows attak trees wth AND and OR onfguratons. All leaves lead to an AND box wll have to be penetrated n order to move up the attak tree,.e., a subsystem has been penetrated. On the other hand, n Fgure (b), f one of the attak leaves s penetrated, t s suffent to move up the attak tree. AND... 2 OR... (a) An attak leaf wth log operator "AND" (b) An attak leaf wth log operator "OR" Fg.. Attak Leaves wth AND or OR /07/$ IEEE.

2 2 A. Control enter ommunaton networks Fg. 2 shows the ommunaton paths wthn power system ontrol networks. Enttes n the ontrol enter, substaton automaton system, dstrbuton management system, Independent System Operator (ISO), and power plant proess ontrol system are nterlnked. The nterdependeny of the ommunaton and power system nfrastrutures plays an essental role to wde area montorng and ontrol. The ommunaton lnk s an optal fber network or a mrowave system. Bakup ontrol enters provde overage for dsaster senaros that may dsable the prmary ontrol enter, e.g., loss of data ommunaton, rtal montorng and ontrol faltes. In addton, Web-Based SCADA s the Internet-Based SCADA and applaton serves to utlty ndustry that provdes onvenent and low ost mantenane by out-sourng the mantenane serves. Ths s mplemented usng a lent-server arhteture though Internet. Web-Based SCADA ower lant roess Control System (enerators) Substaton Automaton System (Buses) Dstrbuton Management System (loads) rmary Control Center Bakup Control Center rmary ath of Communaton Seondary ath of Communaton rmary ISO Control Center Bakup ISO Control Center Fg. 2. Real-Tme Communaton wthn ower System Control Networks The overall ommunaton and omputer nfrastruture s omplex. Defenes of seurty gudelnes and poly enforements may result n penetraton to the networks. Vulnerablty assessment for eah entty s to dentfy the aess ponts to the network as well as yber assets. Ths nludes omprehensve password poly enforement and onstant audtng of unused default ports avalable. B. Introduton to the methodology A yberseurty vulnerablty ndex s a measure of the lkelhood that an attak tree or attak leaf wll be ompromsed by hakers []. Eah attak leaf may have weaknesses that are prone to attak. The vulnerablty ndex ranges from 0 to, from the most nvulnerable (0 value) to the most vulnerable ( value). There are separate vulnerablty ndes for eah attak leaf and eah ntruson senaro. There s also an overall system vulnerablty ndex. All ndes range from 0 to. A vulnerablty ndex s determned based on: () evdene of ed ntrusons; (2) exstng ountermeasures and mproved ountermeasures [2]; and (3) password poly enforement [3]. The vulnerablty ndex s evaluated wth the hypothess lsted n Table I [4]. Three ondtons are defned n Table I. Condton states that there s no evdene to suggest that there are ntruson s for the system. Condton s not met when there are redble evdenes of malous s based on eletron data. Condton 2 s met when there are one or more ountermeasures mplemented for an attak leaf. Any tehnology that s appled to defend the attak leaf would satsfy ondton 2. An example s a web server nstalled wth a frewall that montors the aess to prevent malous ntrusons through onlne traff. assword mplementaton for eah attak leaf s onsdered for assessment. oor password prates result n unauthorzed aess. A system an fae the rsks of unauthorzed aess, even though t may be password proteted. Condton 2 and ondton 3 may nfluene ondton. For nstane, mplementaton of the new tehnologal ountermeasures an redue the lkelhood of ntrusons. Applyng boundary proteton n a frewall wth a set of rules an also redue aess from anonymous users. Ths would redue ed ntrusons and enhane system seurty. The other example s that ondton 3, wth stronger password poles, would also protet the system from beng ompromsed. However, ths does not hange the number of s. TABLE I RULES FOR CONDITIONS,2, AND 3 Condtons Rules The system s free of ntruson Condton that s onluded from the eletron evdenes n the system. At least one or more ountermeasures are Condton 2 mplemented to protet an attak leaf. At least one or more password poles Condton 3 are enfored orrespondng to eah attak leaf. III. VULNERABILITY ASSESSMENT OF CYBERSECURITY The proedure to evaluate vulnerablty ndes s depted n Fg. 3. As shown n the fgure, the proedure starts wth an analyss of the attak objetves. Then the attak tree and ountermeasures are establshed. The system vulnerablty ndex s obtaned by evaluatng the senaro vulnerablty and the leaf vulnerablty for seleted senaros and the orrespondng attak leaves. Identfy possble seurty vulnerablty and formulate an attak tree Identfy ntruson senaros based on the attak tree Identfy adversary attak objetves Evaluate senaro vulnerablty Determne yberseurty ondtons on eah attak leaf Compute leaf vulnerablty Determne pvotal attak leaves by lmtng the upper bound of the senaro vulnerablty Deson-makng to mprove system vulnerablty Fg. 3. roedure to Evaluate Vulnerablty Indes

3 3 Ths seton desrbes the proedure to evaluate the vulnerablty ndes: (a) yberseurty ondtons, and (b) evaluaton of vulnerablty ndes. A. Cyberseurty ondtons Ths seton evaluates the yberseurty ondtons, ω, that s a prelmnary evaluaton before the spef vulnerablty ndes related to leaves and senaros are alulated. The yberseurty ondton assessment s based on tehnologal ountermeasures and enforement of the password poly. The yberseurty ondton s measured by a number ω, that assumes the values of 0. 0., or. The value 0 ndates that the system ondton s nvulnerable whle value ndates the system s vulnerable. )ω =0.00: If [(Condton ) AND (Condton 2) AND (Condton 3)], thenω =0.00 All ondtons n Table I are satsfed. Advaned ountermeasures are deployed and omprehensve password poles are enfored. There s no evdene that the system s subjet to malous s. 2)ω =0.0: If <[(Condton ) AND (Condton 2)] OR [(Condton ) AND (Condton 3)] OR [(Condton 2) AND (Condton 3)]>, thenω =0.0 Any two of the ondtons n Table I are satsfed. 3)ω =.00: If( [(Condton ) OR (Condton 2) OR (Condton 3)] OR (None of the ondton)], thenω =.00 Only one of the ondtons s met or, None of the ondtons are satsfed. B. Evaluaton of vulnerablty ndes Ths seton s onerned wth the yberseurty vulnerablty of an attak tree. There are four steps to assess the seurty vulnerablty: () Identfyng the ntruson senaros, (2) Evaluatng vulnerablty ndes for the system, ntruson senaros, and attak leaves, (3) Evaluatng seurty mprovements, and (4) Identfyng the pvotal leaves. ) Identfyng the ntruson senaros from the attak tree: Frst, the ntruson senaros from the attak tree are dentfed. Then, the possble ntruson senaros are enumerated. Eah of the ntruson senaros s the ombnaton of attak leaves that are formed wth AND or OR attrbutes onfgured n the attak tree. The leaf vulnerablty ndex v ( k ) of eah attak leaf s evaluated one all the ntruson senaros are determned. The senaro vulnerablty s the produt of the orrespondng attak leaf vulnerabltes. 2) Evaluatng vulnerablty ndes: There are three seurty vulnerablty ndes: () system vulnerablty, () senaro vulnerablty, and () leaf vulnerablty. The system vulnerablty, V s, s the vulnerablty of an attak tree determned from the senaro vulnerablty, as shown n (). K s the total number of ntruson senaros. A vetor of senaro vulnerabltes s gven n (2) where I = {, 2, L, K} s a set of ntruson senaros. The Vs s determned from the maxmum value of the senaro vulnerablty set. Eah ntruson senaro s a possblty that leads to suessful penetraton of the system. The vulnerablty of a senaro s the produt of leaf vulnerabltes where eah senaro vulnerablty s formed wth a dfferent subset of S. Senaro vulnerablty ndes are gven n (3) where s, s 2, L, s K S and S = { 2,, L, n}. The symbol s represents an ndex subset of S that s the unversal ndex set of attak leaves and n s the total number of attak leaves. VS = max { V( ), V( 2), L, V( K) } = max( V ( I) ) () T V ( ) ( ) ( ) L ( ) (2) V I = V V 2 V K ( I ) ( ) = v( j ) V j s ( 2 ) = v( j ) V = j s2 M ( K) = v( j) V j sk A leaf vulnerablty s evaluated by (4). The yberseurty ondton number ω must be dentfed frst. The bass for evaluaton s to pre-determne the leaf vulnerablty ondton wth respet to the evdene of ed ntrusons, tehnologal ountermeasures, and password poly enforement, whh was dsussed n Seton III(A). To evaluate the strength of tehnologal ountermeasures, the total number of ountermeasure types s determned, whh s denoted by a onstant n (4). Then, the rato between the ountermeasures mplemented at the spef attak leaf to the total number of ountermeasure types s determned, where n s the number of ountermeasures types mplemented at T C an attak leaf [2]. The strength of the rato s deduted from to onvert t to the vulnerablty rato. max { ω ( ( n T )), ω max{ Θ( C C )} } (4), ω > 0 v ( k ) = max 0 ( n T ), max Θ C 3, ω = { ( C ) { ( )} } Seond, the weghtng fator of the password poly enforement s evaluated. Eah password poly should be assgned wth a value Θ ( C ) based on Table II. The weght assgnment of the password poly enforement ndates the level of dffulty to rak the password. In Table II, an nrement of (approxmately) 0.33 pont startng from the strong password poles of 0 value for Θ( C ) s used. The strongest password poles deter or prolong the rakng proess. Nether brute-fore trals nor soal engneerng tehnques an break through n a short perod of tme. (3)

4 4 The hghest weght assgnment of the password poly enforement s taken as the measure that would be the most vulnerable of the set. The notaton C represents the set of four levels of password poles as shown n Table II. If the password poly enforement has a password length of more than haraters long, then Θ ( ) = If the fatory Θ =.. The default password s not removed, then ( ) 067 overall value of ( C ) Θ s the maxmum among the password poly levels that are applable for the spef attak leaf,.e., max { Θ ( C )} = In (4), for ϖ > 0, the fnal evaluaton of leaf vulnerablty s based on the more vulnerable of the two measures, whh s T the hgher value among the two sets, C, C C where T T C C, andc C. On the other hand, for ϖ = 0, the more vulnerable of two ountermeasures s dvded to reflet the fat that 3 measures are used for yberseurty ondtons,.e., evdene of malous s, tehnology ountermeasures, and password poly enforement. 3) Evaluatng seurty mprovements Seurty mprovement an be aheved by a replaement or addtonal ountermeasures. The mprovements for an attak leaf and ntruson senaro an be measured wth the mplementaton of the defense nodes denoted as v ( ) and V () respetvely, for the leaf and senaro vulnerablty after an mprovement s mplemented. The degree of mprovement for a leaf vulnerablty s gven by v ( ) v( ) v( ) 00% and smlarly for senaro mprovement. 4) Determne the pvotal leaves The system vulnerablty s evaluated based on (2). Improvements of the leaf vulnerablty an lead to hgher system vulnerablty. To dentfy the pvotal leaves for system vulnerablty enhanement, an optmzaton problem s proposed: s.t. mn V S () ( I) ( I) ( ) ( ) V V (6) v v (7) 0 v,v I where ( ) ( ) The ombnaton of senaro vulnerablty s subjet to the onfguraton of an attak tree beause system vulnerablty s expressed as a funton of senaro vulnerablty. The objetve of ths formulaton s to mnmze system vulnerablty by lowerng the upper bound of the senaro vulnerablty, V ( I ). By dong so, the pvotal leaf ombnaton for system mprovement s determned. The mprovement s observed through hanges n V ( I ). A unform upper bound for all leaf nodes an be enfored, suh v s as 0. for all leaves. The vetor of upper bounds ( ) then a vetor wth all elements equal to 0.. Ths s to ensure the least seured leaf nodes are properly enfored. The pvotal leaves are the leaf nodes n ( ) v wth a redued value ompared to the orrespondng values before the upper bounds are redued. TABLE II WEIHT ASSINMENT FOR ASSWORD OLICY ENFORCEMENT Θ C Desrptons ( ) Absene of password poles No password exsts for a user aount Exstene of a guest aount that s known to many, e.g., the password s the same as username oor password poles Wth fatory default password Set wth ombnaton of username, ompany name, date of brth, that s possble to rak usng soal engneerng ood password poles assword length wth 7 haraters long Implement maxmum password age Comprehensve password poles The old passwords are not allowed for new password hange 4-harater ategores of ombnaton (A-Z, a-z, 0-9,!@# (non-alphabet haraters) ) assword length wth haraters or longer Enfore a password age to less than 3 months IV. CASE STUDIES The methodology proposed n the prevous seton s appled to study ases here. The purpose s to dentfy the aess ponts of power system ontrol networks and evaluate the network vulnerablty. The objetve of the proposed attak tree s foused on penetraton of the ontrol enter ntranet from others, e.g., substaton ntranet wth Vrtual rvate Network (VN) onneton. An attak tree based on Fg. 2 s onstruted; the ase studes are subjet to spef busness prates. The model norporates the exstene of fatory default password and nsuffent seurty mprovement [6]. The attak leaves nlude ountermeasures to mprove the system vulnerablty. An attak tree llustrated n Fg. 4 onssts of dsruptons through a power plant, substaton, or web-based SCADA. The dsruptons nlude sabotage on omputer systems and power systems. These ombnatons may result n an ntruson nto the ontrol enter. To derve the senaro ombnaton, groups of attak leaves are arranged as follows:

5 Remarks: AND Defense OR ountermeasure sets roup Dsrupt bakup ontrol enter 4 : Dsrupt ommunaton servers 9 : Dsrupt dstrbuted relatonal database Dsrupt power plant operatons Enterprse msson to dsrupt power system ontrol roup roup 2 Dsrupt ontrol enter roup d 6 : Dsrupt real-tme serves Dsrupt VN onneton to substatons roup a Attak the system by openng the swthng deves 7 : Explot the onlne vulnerablty Dsrupt substaton Dsrupt web-based SCADA system : Explot the web server vulnerablty roup b 9 : Inhbt the status of the swthng deves : Explot wreless onneton 2 3 Shut down the serves 2 : Searh for unt equpment management ontrol ommands 3 : Dsrupt unt loadng 0 ontrol serve 4: Dsrupt ommunaton servers :Explot remote termnal onneton 6 : Inhbt all the onlne status 7 :Explot ommunaton of substaton SCADA Dsrupt the substaton SCADA : Explot avalable ports : Explot relevant fles 0 2 0: Dsrupt relatonal database : Explot the VN onneton : Explot wreless onneton : Explot dal-up onneton Fg. 4. Attak Tree of ower System Control Framework roup a: roup : [ ] 4 roup 2: ; roup b: 7 ; roup d: [ ] ; 9 Eah group represents the seurty flaw of a sub-network from power plant, substaton networks, and web-based SCADA system. roups a and b represent a dsrupton of power plant operatons and substaton automaton. Seurty breahes n these groups may also result n penetraton to the ontrol enter. roups and d represent a dsrupton of the bakup ontrol enter and real-tme serves n the prmary ontrol enter. The mportane of a bakup ontrol enter s to take over funtons of the prmary ontrol enter under extreme rumstanes. Communaton, relatonal database, and realtme applaton serves n ontrol enters are rtal elements. roup 2 represents the dsrupton of Web Based SCADA system where seurty breahes n a web server may be exploted by ntruders. Eah ntruson senaro s derved from attak leaves, where, 2, L, 9 are attak leaves. Intruson senaros are expressed as follows: ; =,4,,6 =,4,,6 =,9,4,,6 = 2,4,,6 = 9 4 = 2,3,4,,6 = 6,4,,6 7 = 0,4,,6 2 = 4,4,,6 = 7,4,,6 6 3 =,4,,6 0 = 3,4,,6 = 7, () 3 where, 2,, 3 I These attak leaves nlude ountermeasures that an be tehnologal ountermeasures or password poly enforements. The desrpton of eah ountermeasure s C =,, and 9 2 L L lsted n the Appendx. The sets { 2, 7 } C T { } L =, 9 26 are ountermeasure sets for password and tehnologal ountermeasure, whle C =,, L, s the unversal ountermeasure set. { 2 26} v ( ) and v ( ) are omputed n aordane wth the onfguraton of the attak tree; the results are gven n the Appendx. The leaf vulnerablty and ts mprovement are depted n Fgs. (a) and (b). The vulnerablty mprovement for eah attak leaf s depted n Fg. (b). By elmnatng the fatory default password and enhanng seurty ountermeasures, the leaf vulnerablty has been mproved. Aordng to (4), the number of ountermeasures types mplemented at an attak leaf s essental beause t nfluenes the vulnerablty of a leaf. Attak leaves and 7 do not

6 6 mprove f the same tehnologal ountermeasure s mplemented on that attak leaf. (The mprovement s based on the same ountermeasure tehnology,.e., aess ontrol.) Attak leaf 3 has the greatest mprovement. Ths s due to the ombnaton of tehnologal ountermeasure types and elmnaton of the guest aount. Elmnatng the fatory default password and guest aount mproved the leaf vulnerablty. In the next step, V ( I ) and V ( I ) are evaluated usng (3). Eah ntruson senaro s the produt of attak leaves n (). The senaro vulnerablty s plotted n Fg. 6. Note that the logarthm sale s used n Fg. 6(a) to hghlght the dfferene between V ( I ) and V ( I ). As shown n Fg. 6(a), the frst ntruson senaros have a greater mprovement. However, ntruson senaros 2 and 3 do not show muh mprovement. Fg. 6(b) shows vulnerablty mprovement for eah ntruson senaro. Fnally, the system vulnerablty ndes before and after the mproved ountermeasures are mplemented, are determned from ( I ) vulnerablty ndes, respetvely. 0. V s and V and V ( ) Vs and V s, respetvely, I. The system V s, are 0.33 and 0.3, (a) vulnerablty Exstng ountermeasures Improved ountermeasures lmtng ( I ) V from to , t s seen that attak leaves 7,, 6, 7,, 9 are the pvotal leaves to mprove V I. the seurty measure n order to satsfy ( ) V. CONCLUSION AND FUTURE WORK The proposed methodology an be used to systematally evaluate the vulnerablty and mprovements based on yberseurty ondtons, tehnologal ountermeasures, and password poly enforement. Seurty mprovement of an attak tree depends on the total number of ountermeasure types and password poly enforement on eah attak leaf. Case studes of the power system ontrol networks have been performed to determne the vulnerablty ndes. To avod manual, exhaustve searh on eah attak leaf, an optmzaton problem s formulated that an be solved to determne pvotal leaves for seurty mprovements. The formulaton of attak trees does not apture the sequene n whh attak leaves are penetrated n a senaro, however, an attak tree an be used as the foundaton to emulate penetraton testng, onfrm the hypothess, and study seurty flaws. Besdes, attak trees an nlude budgetary onstrants to evaluate system vulnerablty that determnes the optmal seurty nvestment based on ths framework (a) Senaro vulnerablty Exstng ountermeasures Improved ountermeasures Vulnerablty Index Vulnerablty Index Attak, (b) Vulnerablty mprovement for eah attak leaf Intruson Senaros, I Vulnerablty Improvement, % Attak, Fg.. Vulnerablty wth Exstng and Improved Countermeasures Vulnerablty Improvement, % (b) Vulnerablty mprovement for eah ntruson senaro It s desrable to dentfy rtal attak leaves that are nfluental for the mprovement of system vulnerablty. Table III shows the numeral results based on ()-(7). The upper bound of the v ( ) s set to 0. whh represents an ntermedate level of vulnerablty. Table III shows the requred hanges for eah attak leaf wth a dfferent upper bound of senaro vulnerablty shown n eah olumn. The hghlghts are hanges from the output of optmzaton. By Intruson Senaros, I Fg. 6. Senaro Vulnerablty wth Exstng and Improved Countermeasures TABLE III FOUR UER BOUNDS ON SCENARIO VULNERABILITY FOR EACH LEAF ( ) V I v( ) v ( )

7 7 C v( 2 ) v ( 2 ) v( 3 ) v ( 3 ) v( 4 ) v ( 4 ) v( ) v ( ) v( 6 ) v ( 6 ) v( 7 ) v ( 7 ) v( ) v ( ) v( 9 ) v ( 9 ) v( 0 ) v ( 0 ) v( ) v ( ) v( 2 ) v ( 2 ) v( 3 ) v ( 3 ) v( 4 ) v ( 4 ) v( ) v ( ) v( 6 ) v ( 6 ) v( 7 ) v ( 7 ) v( ) v ( ) v( 9 ) v ( 9 ) VI. Appendx Desrptons Elmnate guest aount Elmnate fatory default password Implement password age 4-harater ategores of ombnaton password poly s enfored Enfore a password age less than 3 months Implement password length at least haraters Inrease password hange frequeny Install omputer forens tools Implement bometr for authentatons Install ntegrty hekers to montor alternatons to system fles Implement path management system to update seurty pathes avalable Install antvrus software Install ontent management to montor web and messagng applatons Set the rule of the I address that s allowed Implement dgtal ertfates Montor the seurty event logs to determne malous 6 operatons 7 Confgure dfferent port of the serves Doument and audt the use of eah stat I addresses Install ntruson deteton system to montor the traff wthn 9 the network 20 Enhane wth the poly of frewall n substaton LAN Elmnate admnstratve rght to lmted users lke vendors who 2 an hange the onfguraton 22 Install network analyzer to montor malous traff 23 Install a redundant system n ase of urgent need to swth 24 Install a sanner to dentfy malous traff of the network 2 Install smart tokens to establsh strong authentaton Audt the user rghts that ontan prvleges aessng rtal 26 ommands Improved Countermeasures Set Used for Eah Attak and Desrptons Attak Evdene of Attempted Intruson Malous deteted Absene of malous Malous deteted Absene of malous Malous deteted Absene of malous Malous deteted Absene of malous Absene of malous Absene of malous Absene of malous Malous deteted n the logs of substaton LAN Tehnologal Countermeasures Frewall Antvrus Authentaton Frewall User rghts and prvleges are set ersonal frewall Antvrus User rghts and prvleges are set Frewall User rghts and prvleges are set User rghts and prvleges are set Frewall Frewall User rghts and prvleges are set Frewall Frewall Frewall Ant-vrus assword oly Enforement Fatory default password remans uest aount Fatory default password remans Fatory default password remans Implemented password age assword length wth at least haraters Implemented password age assword length wth at least haraters No password uest aount uest aount Fatory default password remans assword length wth at least haraters Implemented password age Fatory default password remans assword length wth at least haraters User rghts and Fatory default password Malous prvleges are set remans Intruson deteton assword length wth at deteted system least haraters Malous User rghts and assword length wth at prvleges are set least haraters deteted Dgtal ertfates 4-harater ategores of

8 6 7 9 Malous deteted Absene of malous Absene of malous Attempted logon wth more than 3 tme Malous deteted User rghts and prvleges are set Fle ntegrty hekers User rghts and prvleges are set Antvrus Frewall Frewall Antvrus User rghts and prvleges are set Frewall Authentaton User rghts and prvleges are set Dgtal ertfates ombnaton Fatory default password remans assword length wth at least haraters Fatory default password remans 4-harater ategores of ombnaton Old passwords are not allowed to replae as new 4-harater ategores of ombnaton assword length wth at least haraters 4-harater ategores of ombnaton assword length wth at least haraters assword length wth at least haraters uest aount 4-harater ategores of ombnaton Implemented Countermeasures for Eah Attak VII. ACKNOWLEDMENT The authors gratefully aknowledge the ontrbutons of Srdjan udar, Mohammad Frawan, and the support of Eletr ower Researh Center (ERC) at Iowa State Unversty. VIII. REFERENCES [] J. Esenhauer,. Donnelly, M. Ells, and M. O Bren, Roadmap to seure ontrol systems n the energy setor, Energets of Columba, MD, January [2] overnment Aountablty Offe (AO) Report to Congressonal Requesters, Crtal Infrastruture roteton: Department of Homeland Seurty Faes Challenges n Fulfllng Cyberseurty Responsblty, AO-0-434, May 200. [3] NERC yberseurty standards (fnal verson), [4]. N. Ersson and A. Torklseng, Management of nformaton seurty for an eletr power utlty on seurty domans and use of ISO/IEC 7799 standard, IEEE Transatons on ower Delvery, Vol. 20, No. 2, Aprl 200, pp [] E. oetz, Cyber seurty of the eletr power ndustry, Insttute for Seurty Tehnology Studes at Dartmouth College, Deember [6] L. A. ordon, M.. Loeb, W. Luyshyn, and R. Rhardson, CSI/FBI omputer rme and seurty survey, Computer Seurty Insttute, 200. [7] J. Tang, R. Hovsapan, M. Sloderbek, J. Langston, R. Meeker,..MLaren, D. Beker, B. Rhardson, M. Baa, J. Trent, Z. Hartley, R. arks, and S. Smth, The CAS-SNL power system seurty testbed, ro. CRIS, Thrd Internatonal Conferene on Crtal Infrastrutures, Alexandra, VA, September [] C. L. DeMaro and Y. Braden, Threats to eletr power grd seurty through hakng of networked generaton ontrol, ro. CRIS, Thrd Internatonal Conferene on Crtal Infrastrutures, Alexandra, VA, September [9] B A.. Moore, R. J. Ellson, and R. C. Lnger, Attak modelng for nformaton seurty and survvablty, CMU/SEI-200-TN-00, Marh 200. [0] B. Shneer, Attak trees: modelng seurty threats, Dr. Dobb s Journal, Deember 999. [] Vulnerablty assessment methodology for eletr power nfrastruture, US Department of Energy, Offe of Energy Assurane, September 30, [2] overnment Aountablty Offe (AO) Report to Congressonal Requesters, Informaton seurty: tehnologes to seure federal systems, AO , Marh [3] C. E. Landwehr, Computer seurty, Sprnger-Verlag, July 200. [4] M. Amn, North Amera s eletrty nfrastruture: are we ready for more perfet storms? IEEE Computer Soety: Seurty & rvay, 2003, pp [] J. Jung, C. C. Lu, M. Hong, M. allant, and. Tornell, Multple hypotheses and ther redblty n on-lne fault dagnoss, IEEE Transatons on ower Delvery, Vol. 6, No. 2, Aprl 200, pp [6] Cyberseurty standards workshop, user manual for the workshop, North Ameran Eletr Relablty Counl, September 2-29, Mnneapols, MN. IX. BIORAHIES Chee-Woo Ten (S 00) reeved hs BSEE and MSEE at Iowa State Unversty, Ames, n 999 and 200 respetvely. He s urrently a h.d. student at Iowa State Unversty. In 2000, he was a summer ntern wth Md-Ameran Energy Control Center n Des Mones. Mr. Ten was an applaton engneer wth Semens Energy Management and Informaton System (SEMIS) n Sngapore from January 2002 to July 200. Hs area of nterest nludes Cyberseurty Modelng for Energy Infrastruture, Applatons for ower System Control, and Eonom Optmzaton. Chen-Chng Lu (F 94) reeved hs h.d. degree from the Unversty of Calforna, Berkeley. He s urrently almer Char rofessor of Eletral and Computer Engneerng at Iowa State Unversty. Durng , he was a rofessor of Eletral Engneerng at the Unversty of Washngton, where he also served as an Assoate Dean of Engneerng from Dr. Lu reeved an IEEE Thrd Mllennum Medal n 2000 and the IEEE ower Engneerng Soety Outstandng ower Engneerng Eduator Award n He s servng as Char of the Tehnal Commttee on ower System Analyss, Computng and Eonoms (SACE), IEEE ower Engneerng Soety. rofessor Lu s a Fellow of the IEEE. Manmaran ovndarasu (M 99) s urrently an Assoate rofessor n the Department of Eletral and Computer Engneerng at Iowa State Unversty (ISU). He reeved hs h.d. n Computer Sene and Engneerng from Indan Insttute of Tehnology (IIT) Madras, Inda n 99. He reeved Young Engneerng Researh Faulty Award at ISU n Hs researh expertse s n the areas of resoure management n real-tme systems and networks, overlay networks, network seurty, and ther applatons to rtal nfrastrutures suh as eletr grd. Dr. ovndarasu has publshed over 00 peer-revewed researh publatons. He s o-author of the text Resoure Management n Real-Tme Systems and Networks, MIT ress, 200. He has gven tutorals on Internet nfrastruture seurty n onferenes, suh as IEEE Infoom 2004 and IEEE ComSo TutoralsNow (2004), and served as workshops o-har, symposum o-har, and sesson har on many oasons.