SCADA virtual test environment development

Transcription

1 SCADA virtual test environment development Ciprian Nicolae BOLDEA Abstract Control systems are potential targets of cyber attacks. SCADA networks are usually seen as industrial equipment, not affected by cyber threats. Starting from the design of such a network the focus is on functionality, seldom the security not even being taken into consideration. Since the SCADA networks tends to became more and more integrated with enterprise business networks and relies on Internet for communication links there is an increasing of the vulnerability of systems to cyber security threats. Dealing with those threats and determining vulnerabilities is an important task for the normal functioning of the systems. This paper presents the development of a virtual test environment used to assess the functionality of SCADA network in various conditions and configurations. Keywords: SCADA, control systems, cyber security, virtual test bed, GNS3, Virtual Box, Free SCADA 1. Introduction Computerized control systems perform vital functions in enterprises and in distributed infrastructures including: Energy Distribution, Nuclear Reactors, Dams, Commercial Facilities, Critical Manufacturing, Emergency Services, Waste Dams and Chemical Sectors, Transportation and Postal Systems. They are usually composed of a set of networked devices such as controllers, sensors, actuators, and communication devices. Supervisory Control and Data Acquisition (SCADA) systems are computer-based control systems which are used to monitor and control physical processes distributed over large geographical areas. For example, in natural gas distribution, they can monitor and control the pressure and flow of gas through pipelines; in the electric power industry, they can monitor and control the current and voltage of electricity through relays and circuit breakers; and in water treatment facilities, they can monitor and adjust water levels, pressure, and chemicals used for purification. Critical infrastructure relies extensively on computerized information technology (IT) systems and electronic data. The security of those systems and information is essential to the security, economy, and public health as it was mentioned in recent United States Government Accountability Office report [1]. Computer-based attacks pose a potentially devastating impact to systems, operations and the critical infrastructures they support. Reported cyber attacks and unintentional incidents involving critical infrastructure systems demonstrate that a serious cyber attack could be devastating. Corporations and Agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches, underscoring the need for improved security practices. As shown in the Figure 1 Cyber Incidents Reported to US-CERT in , the number of incidents reported by federal agencies to United States Computer Incident Response Team (US-CERT) has increased dramatically over the past 3 years. Ciprian Nicolae BOLDEA, drd. Universitatea Politehnica Bucureşti Figure 1. Cyber Incidents (US-CERT)

2 ELECTROTEHNICĂ, ELECTRONICĂ, AUTOMATICĂ, 59 (2011), nr Accordingly to the cyber security dedicated site [2] the number of incidend has increased from about five thousand incidents reported in 2006 to almost seventeen thousand incidents in 2008 (about a 200% increase). Considering the above mentioned facts results that it is important to have a platform for experimentation over SCADA systems. It is important that such an environment to offer an alternative for testing in a live or production environment. It should allow transparent, and replicable testing of software and communication protocols for functionality and most important for security. Such a solution will be presented below. It is a solution build on freely available software. 2. SCADA architecture and test environment components used to emulate it SADA network main components are: One or more field data interface devices, usually Remote Terminal Units (RTUs), or Programmable Logical Controllers (PLCs), which interface to field sensing devices and local control switchboxes and valve actuators; A communications system used to transfer data between field data interface devices and control units and the computers in the SCADA central host. The system can be radio, telephone, cable, satellite, etc., or any combination of these; A central host computer server or servers (sometimes called a SCADA Center, master station, or Master Terminal Unit (MTU). In order for the above mentioned components to work it is need that a collection of standard and/or custom software - sometimes called Human Machine Interface (HMI) software or Man Machine Interface (MMI) software to be used to provide the SCADA central host and the operator with terminal application, support for the communications system, monitor and control of the remotely located field data interface devices. SCADA systems have evolved in parallel with the growth and sophistication of modern IT computing technology, from monolithic to distributed and then to networked systems. The current generation of SCADA - Networked SCADA systems - is an open system architecture Open standards eliminate a number of the limitations of previous generations of SCADA systems. The utilization of off-the-shelf systems makes it easier for the user to connect third party peripheral devices to the system and/or the network. Another major improvement in third generation SCADA systems comes from the use of WAN protocols such as the Internet Protocol (IP) for communication between the master station and communications equipment. This allows the portion of the master station that is responsible for communications with the field devices to be separated from the master station proper across a WAN. Vendors are now producing RTUs that can communicate with the master station using an Ethernet connection. [3]. SCADA system is usually liked with enterprise network which at is turn is liked to other networks, usually the Internet. Today s SCADA systems are able to take advantage of the evolution from mainframebased to client/server architectures. These systems use common communications protocols like Ethernet and TCP/IP to transmit data from the field to the master control unit. While all of this evolution towards more open-based standards has made it easier for the industry to integrate various diverse systems together, it has also increased the risks of less technical personnel gaining access and control of these industrial networks. On October 1, 2003 Robert F. Dacey, Director, Information Security Issues at the General Accounting Office (GAO) eluded to this and other issues in his testimony before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform. He said: For several years, security risks have been reported in control systems, upon which many of the nation s critical infrastructures rely to monitor and control sensitive processes and physical functions. In addition to general cyber threats, which have been steadily increasing, several factors have contributed to the escalation of risks specific to control systems, including the (1) adoption of standardized technologies with known vulnerabilities, (2) connectivity of control systems to other networks, (3)

3 62 ELECTROTEHNICĂ, ELECTRONICĂ, AUTOMATICĂ, 59 (2011), nr. 4 constraints on the use of existing security technologies and practices, (4) insecure remote connections, and (5) widespread availability of technical information about control systems. [4] For a company to protect its infrastructure, it should undertake the development of a security strategy that includes specific steps to protect any SCADA system. Developing an appropriate SCADA security strategy involves analysis of multiple layers of both the corporate network and SCADA architectures including firewalls, proxy servers, operating systems, application system layers, communications, policies, and procedures. In order to test both SCADA software and network components it is very expensive to create scale replica of real systems. An alternative to scale replica is the use of virtual systems that emulate real ones. Until recently was pretty hard to integrate in the same virtual scenario both network components and servers/workstations. It can be done now by using GNS3 for network components (routers, firewalls) simulation and Virtual Box for software virtualization. GNS3 is a graphical network simulator that allows simulation of complex networks. It was built on Dynamips - an emulator program for Cisco routers. The simulator is an open source, free program that may be used on multiple operating systems, including Windows, Linux, and MacOS X To allow complete simulations, GNS3 is strongly linked with Qemu - a generic and open source machine emulator and with VirtualBox as it is mentioned on the simulator web page - [5] VirtualBox is a powerful x86 and AMD64/Intel64 virtualization product for enterprise as well as home use. Not only is VirtualBox an extremely feature rich, high performance product for enterprise customers, but it is also the only professional solution that is freely available as Open Source Software under the terms of the GNU General Public License (GPL). Presently, VirtualBox runs on Windows, Linux, Macintosh, and Solaris hosts and supports a large number of guest operating systems including but not limited to Windows, Linux, Solaris and OpenSolaris, OS/2, and OpenBSD. Confirmation for the above mentioned details on - [6] The SCADA test bed created have been completed with Free SCADA 2 software. This is a program written in C# and.net 3.0. There are two main modules interacting with users: Designer and Run Time. Designer is a tool used for creation of documents: Definition of links with data sources Setting up rules for archiving Declaring alarms and expected user reaction for them Creation of visual schemes and report templates Setting up scheduler of report generation Run Time is a tool used to regular work with the document: Archiving data in real time Alarm generation Data visualization Report generation Sending visual data (schemes) to remote clients by using HTTP protocol for Web access as Silverlight 2.0 application Sending data to remote clients by OPC XMLDA protocol Beside SCADA regular components there is also a set of communication plugins which provide abstract communication layer with other applications. [7] MODBUS was used to link SCADA with Free Modbus Simulator. This is a test program useful for testing. It has TCP/IP support embedded [8]. 3. Test environment The above mentioned software were used to set-up a SCADA test bed which emulates a SCADA server, a Modbus client on a remote SCADA field device and the network in between. The network was created by using GNS3 router objects. GNS3 allows the connections between routers and virtual machines created in Virtual Box.

4 ELECTROTEHNICĂ, ELECTRONICĂ, AUTOMATICĂ, 59 (2011), nr the connection of simulated network to a real one. An attack over the SCADA network can be simulated using for example a Distributed Denial of Services test script available for download at: This was run on another machine against the 502 port of the Modbus client. Like that can be observed the system behavior under lose connectivity. Figure 2 Emulated SCADA test environment On the SCADA mainframe the Free Scada server application was run. In Figure 3 is a capture from the Graphical User Interface of the mentioned software. There are visible the values read by the server from the Modbus client. Figure 3 SCADA server communications The Modbus client simulator is a software application running on the SCADA client PC and waiting for connections. It is polled for inputs by the server via the TCP/IP network on port 502 (standard TCP Modbus port). On Figure 4 it is a capture of graphical user interface of the Modbus client simulator. Figure 4 Modbus client This is example SCADA emulation. The environment can be adjusted to simulate a close to real situation with tens or even hundreds of devices. Moreover GNS3 allows 4. Comparison with other SCADA test environments There are plenty of simulation tools for SCADA. For example RubySim is a software product used to simulate SCADA systems (both master and slaves). Consipio software develops a software product named psimulator which can be used in a multi PLC/RTU simulation scenario. A special note should be made for Realtime Immersive Network Simulation Environment for Network Security Exercises (RINSE). This is a tool for realistic emulation of large networks as well as network transactions, attacks, and defenses. The product is well described on the paper: Rinse: the real-time immersive network simulation environment for network security exercises [9]. RINSE has unique capabilities which make it suitable for cyber security and gameplaying exercises including large-scale realtime human/machine-in-the-loop network simulation support, multi-resolution network traffic models, and novel routing simulation techniques. RINSE consists of five components: the issfnet network simulator, the Simulator Database Manager, a database, the Data Server, client-side Network Viewers There are some obviously advantage of this virtual testing bed over software simulation tools. First of all it is free. All components involved in creating the test bed are free software. Secondly it supposes the use of the same components as the ones in the field while software simulated SCADA has components implemented in software.

5 64 ELECTROTEHNICĂ, ELECTRONICĂ, AUTOMATICĂ, 59 (2011), nr. 4 Thirdly this solution allows other equipments, not SCADA, to be connected to the network while in software simulated SCADA systems everything else is software simulated. For example to simulate a DDoS attack in RINSE a command in send to the system: DDoS-attack attacker server , while in a virtual environment a DDoS attack can be emulated from real or virtual machines running dedicated software/scripts. There are also disadvantages: dedicated SCADA software testing solutions are more evolved and are build special for this purpose. As result those might obtain more conclusive results. Another disadvantage of emulated test beds is that it might not reflect the SCADA system as well as a scale model can do. 5. Conclusions Control systems tend to use more and more links over Internet. It is an increased number of connections between control system and IT networks. This causes concern over the security of control systems which had traditionally been considered closed systems. Control System Networks today must be assumed to be at risk of electronic compromise. There are tools and techniques that could be used to address this peril and very important is the testing of solutions adopted for SCADA software and communications. In this paper was presented an approach from an IT point of view over control system network solutions testing methodology. REFERENCES [1] GAO, United States Government Accountability Office, Critical Infrastructure Protection-Current Cyber Sector-Specific Planning Approach Needs Reassessment in Report to Congressional Requesters, Washington DC, [2] *** /05/ 29/ cybersecurity-incidents-on-rise/ [browsed at the 12 th of October 2011]. [3] GAO, United States Government Accountability Office, Critical Infrastructure Protection Challenges in Securing Control Systems, Report GAO T, Washington DC, [4] OFFICE OF THE MANAGER, NATIONAL COMMUNICATIONS SYSTEM, Supervisory Control and Data Acquisition (SCADA) Systems, Technical Information Bulletin 04-1, Arlington VA, 2004 [5] ***, [browsed at the 12 th of October 2011]. [6] ***, [browsed at the 12 th of October 2011]. [7] ***, [browsed at the 16 th of October 2011]. [8] ***, [browsed at the 16 th of October 2011]. [9] Liljenstam M, Liu J, Nicol D, Yuan Y, Yan G, Grier C, Rinse: the real-time immersive network simulation environment for network security exercises, in Workshop on Principles of Advanced and Distributed Simulation, 2005.