SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

Similar documents
Network Security Infrastructure Testing

Cyber Security of the Smart Grid

Firewalls Overview and Best Practices. White Paper

Getting Ahead of Malware

Testing Intelligent Device Communications in a Distributed System

Cyber Security of the Power Grid

Power System Security Monitoring, Analysis, and Control. George Gross

On-Premises DDoS Mitigation for the Enterprise

Synchronized real time data: a new foundation for the Electric Power Grid.

Intrusion Detection Systems

Security Testing in Critical Systems

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Update On Smart Grid Cyber Security

Fuzzy Network Profiling for Intrusion Detection

Overview. Firewall Security. Perimeter Security Devices. Routers

Missing the Obvious: Network Security Monitoring for ICS

Cyber Security for SCADA/ICS Networks

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Outline. Introduction. State-of-the-art Forensic Methods. Hardware-based Workload Forensics. Experimental Results. Summary. OS level Hypervisor level

Vendor System Vulnerability Testing Test Plan

Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids

LCMON Network Traffic Analysis

Monitoring Traffic manager

HoneyBOT User Guide A Windows based honeypot solution

HE WAR AGAINST BEING AN INTERMEDIARY FOR ANOTHER ATTACK

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

SCADA System Overview

Intro to Firewalls. Summary

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

IDS / IPS. James E. Thiel S.W.A.T.

Service Description DDoS Mitigation Service

Cyber Watch. Written by Peter Buxbaum

Monitoring & Control of Small-scale Renewable Energy Sources

How To Protect Your Network From Attack From Outside From Inside And Outside

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Network Intrusion Analysis (Hands-on)

Performance Analysis of IPv4 v/s IPv6 in Virtual Environment Using UBUNTU

A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Intrusion Detection in AlienVault

Holistic View of Industrial Control Cyber Security

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Secure SCADA Communication Protocol Performance Test Results

Redundant Serial-to-Ethernet Data Connections for Mission-critical Devices

Chapter 9 Firewalls and Intrusion Prevention Systems

How To Protect Power System From Attack From A Power System (Power System) From A Fault Control System (Generator) From An Attack From An External Power System

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Performance of Cisco IPS 4500 and 4300 Series Sensors

Design Document. Team Members: Tony Gedwillo James Parrott David Ryan. Faculty Advisor: Dr. Manimaran Govindarasu

Historian SQL Server 2012 Installation Guide

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Data Driven Assessment of Cyber Risk:

Fuzzy Network Profiling for Intrusion Detection

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks

PFP Technology White Paper

NETWORK SECURITY (W/LAB) Course Syllabus

DNP Serial SCADA to SCADA Over IP: Standards, Regulations Security and Best Practices

Using Received Signal Strength Indicator to Detect Node Replacement and Replication Attacks in Wireless Sensor Networks

Architecture of distributed network processors: specifics of application in information security systems

Protecting Critical Infrastructure

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Cisco IPS Tuning Overview

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

In-Band Security Solution // Solutions Overview

SCADA Controlled Multi-Step Automatic Controlled Capacitor Banks & Filter Banks

Securing the Intelligent Network

Testing and Evaluating New Software Solutions for Automated Analysis of Protective Relay Operations

SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Locking down a Hitachi ID Suite server

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Network Based Intrusion Detection Using Honey pot Deception

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

SANS Top 20 Critical Controls for Effective Cyber Defense

Denial of Service Attacks

Firewalls & Intrusion Detection

Name. Description. Rationale

Index Terms Domain name, Firewall, Packet, Phishing, URL.

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Stephen Coty Director, Threat Research

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Cyber Security Modeling and Assessment of SCADA System Architectures

Denial of Service Attacks, What They are and How to Combat Them

USING COMPLEX EVENT PROCESSING TO MANAGE PATTERNS IN DISTRIBUTION NETWORKS

Industrial Control Systems Vulnerabilities and Security Issues and Future Enhancements

Pennsylvania Summer Reliability

Software Defined Networking (SDN) - Open Flow

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Transcription:

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID ZBIGNIEW KALBARCZYK EMAIL: KALBARCZ@ILLINOIS.EDU UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN JANUARY 2014

Outline Problem Attack Model Attack Scenario Semantic Security Analysis Framework Evaluation Conclusions 2

Power Grid Operations Power Generator Transmission Network Distribution Network Household Environment SCADA Supervisory Control And Data Acquisition (SCADA) system Monitor and control geographically distributed assets in industrial control environment, e.g., power grid or gas pipeline To boost control efficiency, SCADA systems integrate proprietary protocols into IP-based network infrastructure 3

Challenges of Control-related Attacks Control-related attacks: a sophisticated attacker can exploit system vulnerabilities and use a single maliciously crafted control command to bring system in insecure/unsafe state Hard to detect based solely on states of physical components Classical state estimation and contingency analysis methods are performed periodically on small range of system changes Measurements can be compromised during network communications Hard to detect based solely on network activities Malicious commands may not generate a network anomaly 4

Attack Model Control Center Control Network Remote Site (Substation) field devices actuators & sensors We DO NOT TRUST intelligent devices Computing devices in the control center Intelligence field devices in substations Control network We TRUST measurements of power usage, current, and voltage directly obtained from sensing devices in substations Concurrent physical accesses to and tampering with a large number of distributed sensors is hard to achieve in practice 5

Attack Scenario Assumptions An attacker can penetrate the intelligent components in the power system An attacker can issue maliciously crafted control commands that can put the power system into an insecure state 6

Attack Scenario Stages Insider Access Control Center Remote Access Access Field Devices Attack Entry Points State Estimation & Contingency Analysis Data Historian Installed Malware in Substations Option 1: attackers learn network topology, estimate system states, and determine attack strategy, e.g., which transmission lines to open. Option 2: open lines at random when systems operate under high generations or load demands. Attack Execution Stage Attack Preparation Stage (offline) 1. Generate legitimate but malicious network packets (a sample DNP3 packet to open 4 breakers simultaneously ) IP + TCP Headers CB 04 0C 28 04 00 01 04 03 04 05 04 06 04 DNP3 Device Control Four Control Headers Index Code Relay Objects 2. To hide system changes, intercept and/or alter the network packets sent to the control center in response to the commands 7

Semantic Analysis Framework Control Center Control SCADA Commands DNP3 Master Slave A B C Substation Actuators & Sensors Measurements: power usage, current, and voltage IDS Instance #1 IDS Instance #2 State Estimation & Contingency Analysis 1) Commands issued to the remote site 2) Measurements obtained from sensors Generated Alerts Semantic Analysis Framework 8

Semantic Analysis Procedure Extract parameters of control commands from SCADA network packets Obtain trusted measurements from sensors in substations Trigger contingency analysis to estimate consequences of executing the commands carried by the network packets Response to detected intrusions The semantic analysis framework do not impact the normal functioning of SCADA system no additional delay introduced in the communication between the SCADA and substations 9

Monitor Control Commands Bro intrusion detection system (IDS) is adapted to analyze network packets transmitted using the DNP3 protocols Network IDS distinguishes critical commands from noncritical ones Critical commands: commands that can operate physical devices and potentially change the system state Command Type Read Write (Critical) Execute (Critical) Description Retrieve measurements from remote substations, e.g., read binary outputs Configure intelligent field devices, e.g., open, edit, and close a configuration file Operate actuators or sensors, e.g., open or close a breaker connected to a relay 10

Evaluation Testbed Setup Hardware and system software An Intel i3 (3.07 GHz) quad-core; 4 GB RAM, running Linux OS Application software SCADA master and DNP3 slave implemented using open source DNP3 library Produce synthetic DNP3 network traffic Intrusion detection system Bro IDS with integrated DNP3 analyzer to monitor network traffic Matpower, an open source Matlab toolbox for power flow analysis 11

Effects of Malicious System Changes SCADA master issues DNP3 network packets to change power system states The traffic includes network packets, representing read, write, and execute commands Include the maliciously crafted commands IEEE 30-bus system analyzed Cmd Type Read Write Description Request to read (i) static data and (ii) event data from relays Request to (i) update the static configuration file and (ii) open/close an application in a relay Event Pattern Periodic event with interval of 1 second Poisson process with average command arrival interval of 50 seconds Execute Request to open/close a breaker of a relay Poisson process with average command arrival interval of 100 seconds 12

IEEE 30-bus System Malicious changes Increase generation (at bus 2, 13, 22, 23, and 27) by 50% Increase load demand by 50% Open 3 transmission lines at random All changes simultaneously 13

Procedure to Check System State Malicious System Changes State Estimation Check Line Status Check line status Voltage drop limit the voltage at the receiving end (VR) and at the sending end (VS) of a single transmission line should satisfy the operational condition VR / VS 0.95 Within Steady-state Limit? Yes No secure insecure Within Voltage Drop? Yes secure Steady-state stability limit the maximum power that a line can carry. Security Metric Number of insecure lines 14

Effect of System Changes Coordinated system changes (i.e., combination of increase in generation and load demand, and line outage) put up to 9 additional lines in insecure conditions To escape detection an attacker may want to avoid making changes to many physical components attack when the system is most vulnerable, e.g., in presence of already high load demand opening a few transmission lines may be sufficient to create a blackout 15

Performance Evaluation: Setup SCADA master is configured to simulate 24 hours of operations 77,000 read commands 1,800 write commands 900 execute commands Measurements the average execution time of network monitoring, e.g., filtering out noncritical commands and extracting parameters of critical ones the time to carry on contingency analysis for different size test systems 16

Performance Evaluation: Results Execute the contingency analysis to estimate consequences of executing a command monitor critical commands, extract their parameters and deliver to contingency analysis software The time to estimate consequence of executing a command (~100ms) is almost three orders of magnitude higher than the time of the network monitoring (~0.1 ms) 17

Does Measured Performance Allow Timely Semantic Analysis on Critical Commands? Yes! Network traffic involved to carry critical commands in power systems is still low many critical commands to operate substation devices are issued manually the interval between control commands are on the order of seconds (or minutes) There is a limited number of types of critical commands ignore uncritical commands to reduce the frequency of the semantic analysis 18

Conclusions Show that in the Power Grid SCADA, an attacker can use legitimate, but maliciously crafted, commands to put the power system in insecure state Propose a semantic analysis framework based on an IDS extended with network packet analyzer power flow assessment tools to (preemptively) estimate the execution consequence of a command and prevent the system damage Evaluated the approach on the IEEE 30-bus system the semantic analysis provides reliable detection of malicious commands with a small overhead 19

Future Work Improve performance of the state estimation consider different strategies as to how and when to re-compute the system state Investigate response to a detected intrusion e.g., postpone a command 20

Acknowledgments Hui Lin Adam Slagell Peter Sauer Ravishankar Iyer Our sponsors: DOE, DHS, and NSF 21

Current Status of the Software The DNP3 analyzer is already included in the Bro IDS official branch which you can download at: http://www.bro.org/download/index.html The source code of the analyzer can be found at: bro/src/analyzer/protocol/dnp3 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information