10/12/2010

Project Plan | Tony Gedwillo, James Parrott, David Ryan

SDMAY11/11 CYBER SECURITY OF SCADA SYSTEMS

TESTBED

TABLE OF CONTENTS

Problem statement ........................................................................................................................................................ 4

System overview ............................................................................................................................................................ 4

System Description .................................................................................................................................................... 4

Conceptual Diagram .................................................................................................................................................. 5

Market and Literature Survey10

..................................................................................................................................... 5

NSTB........................................................................................................................................................................... 5

NERC .......................................................................................................................................................................... 6

US-CERT CSSP ............................................................................................................................................................. 7

Operating environment and Technology Considerations .............................................................................................. 7

Siemens SCALANCE S612 Security Module ................................................................................................................ 7

Siemens SIPROTEC 4 7SJ61 Relay (Sensor) ................................................................................................................ 8

Siemens Spectrum Power TG SCADA/EMS (HMI) ...................................................................................................... 8

Siemens SICAM PAS v6.00 (RTU) ............................................................................................................................... 8

Siemens DIGSI 4 ......................................................................................................................................................... 9

Virtualization Software .............................................................................................................................................. 9

Vulnerability assessment software ............................................................................................................................ 9

Expected Project Deliverables ....................................................................................................................................... 9

Virtualized test bed .................................................................................................................................................... 9

Vulnerability assessment and fixes ............................................................................................................................ 9

physical representation of relay outputs ................................................................................................................. 10

Requirements .............................................................................................................................................................. 10

Functional Requirements......................................................................................................................................... 10

Virtualization ....................................................................................................................................................... 10

Cyber security ...................................................................................................................................................... 10

Power system integration .................................................................................................................................... 10

Non-functional Requirements ................................................................................................................................. 11

Optional Requirements ........................................................................................................................................... 11

Work plan .................................................................................................................................................................... 11

Tasks ........................................................................................................................................................................ 11

Schedule .................................................................................................................................................................. 12

Risks ......................................................................................................................................................................... 12

Mitigation of Risks ................................................................................................................................................... 13

Resource Requirements .............................................................................................................................................. 13

Personnel ................................................................................................................................................................. 13

Hardware ................................................................................................................................................................. 13

Project Milestones and tracking .............................................................................................................................. 13

Software and Facilities ............................................................................................................................................. 13

Client Information ....................................................................................................................................................... 14

Client and Faculty Advisor ....................................................................................................................................... 14

Student Team Members .......................................................................................................................................... 14

References ................................................................................................................................................................... 16

PROBLEM STATEMENT

Supervisory Control and Data Acquisition (SCADA) systems are the nervous systems for the body of our country’s

infrastructure. This body includes many systems that are vital to the function of our society: power, water, natural

gas, oil, and road traffic systems—among many others. However, the nervous systems (SCADA systems) that

control our infrastructure are currently vulnerable to cyber-attack. “Since the mid-1990’s, security experts have

become increasingly concerned about the threat of malicious cyber attacks on the vital supervisory control and

data acquisition (SCADA) systems used to monitor and manage our energy systems. Most SCADA system designs

did not anticipate the security threats posed by today’s reliance on common software and operating systems,

public telecommunication networks, and the Internet.” [1]

Our goal is to improve the cyber security of SCADA systems by making our own SCADA test bed, where we can

simulate power systems and the communication protocols they use, and attempt cyber attacks on our systems.

Through this process, we can test vulnerabilities of commercial SCADA protection products report their

vulnerabilities. We can also demonstrate the effects a SCADA cyber attack can have on a power system. We will

be improving the test bed created by the previous year’s team. We will be adding virtualization, power flow

analysis, and more advanced cyber-attacks.

SYSTEM OVERVIEW

SYSTEM DESCRIPTION

A SCADA system can be separated into these 4 components:

Control Center – Usually consists of a Human-Machine Interface (HMI) by which a human operator can

view process data and control that same process

Supervisory Station – This element consists of the servers, software and stations responsible for providing

communication between the Control center and RTU’s

Remote Terminal Unit (RTU) – Typically connected to physical equipment. Used to convert electrical

signals from hardware sensors to digital data which is collected by the supervisory station

Sensor – A device that measures an analog or status value in some element of a process, a sensor collects

the raw process data used to make decisions about a process

CONCEPTUAL DIAGRAM

MARKET AND LITERATURE SURVEY10

NSTB

The National SCADA Test Bed (NSTB) is a nation effort focused identification and mitigation of new and existing

security vulnerabilities in SCADA systems as well as raising awareness of control system security, specifically within

the energy sector. The NSTB is a special collaboration between both public and private sector entities representing

the energy sector and equipment vendors. The primary goals of this effort, as listed by the NSTB, are to:

Raise industry awareness of system vulnerability issues and mitigation techniques

Collaborate with industry to identify, assess, and mitigate current SCADA system vulnerabilities

Work with industry to develop near-term solutions and risk mitigation strategies for existing systems

Develop best practices as well as next-generation architectures for intelligent, inherently secure and

dependable control systems and infrastructures

Support development of national standards and guidelines for more secure control systems

Proposed Virtualized Substations

SICAM 1

Relay 1

SICAM 2

Relay 2

Substation 2 ScalenceSubstation 1 Scalence

Control Center Scalence

Human Machine Interface 1 Human Machine Interface 2 DTS

Web Access

Remote Workstation

Internet

SICAM 3

Relay 3

SICAM N

Relay N

Substation 3 Firewall Substation N Firewall

……………

These research goals are geared towards answering and satisfying the problem and need statement of this project

as well as industry need.

One of the primary functions of the NSTB program is to provide control system security assessment of industry

hardware and software SCADA systems and associated devices. Typically, the NSTB will develop an agreement that

defines a working relationship with an intended industry partner. The NTSB will then obtain and setup any

equipment or software that is intended for testing. After the test bed has been setup and configured, using the

industry equipment, the NSTB will perform test to identify possible cyber security vulnerabilities within the SCADA

system. At this point a test evaluation report is created for the industry partner that assesses and presents the

results of the cyber security tests performed on the system.

NERC

The North American Electricity and Reliability Corporation (NERC) is an organization focused on development and

enforcement of reliability standards in power systems. In 2007 the Federal Energy Regulatory Commission (FERC)

granted NERC the legal authority to enforce reliability standards on all bulk power system users, owners, and

operators within the US. With this authority NERC made compliance with NERC reliability standards both

mandatory and enforceable.

While it is only one aspect of NERC’s operations, currently the NERC Critical Infrastructure Protection (CIP)

program is coordinating with the energy sector to evaluate and provide standards to improve and protect critical

infrastructure against physical and cyber-attack. The key efforts to support of this goal include:

Standards development

Compliance enforcement

Assessment of risk and preparedness

Disseminating critical information via industry alerts

Raising awareness of key issues

The Critical Infrastructure Protection (CIP) program maintains and updates a set of standards known as the CIP

Reliability Standards; industry systems which meet or comply with the CIP standards are known to be ‘CIP-

Compliant.’ Dissemination and enforcement of these standards is performed by NERC and it is through enforced

compliance with these standards that increased security within energy critical infrastructure can be achieved. CIP

reliability standards include:

CIP-001-1 Sabotage Reporting

CIP-002-1 Critical Cyber Asset Identification

CIP-002-2 Cyber Security – Critical Cyber Asset Identification

CIP-003-1 Security Management Controls

CIP-003-2 Cyber Security – Security Management Controls

CIP-004-1 Personnel & Training

CIP-004-2 Cyber Security – Personnel & Training

CIP-005-1 Electronic Security Perimeter(s)

CIP-005-2 Cyber Security – Electronic Security Perimeter(s)

CIP-006-1 Physical Security of Cyber Assets

CIP-006-2 Cyber Security – Physical Security of Cyber Assets

CIP-007-1 Systems Security Management

CIP-007-2 Cyber Security – Systems Security Management

CIP-008-1 Incident Reporting and Response Planning

CIP-008-2 Cyber Security – Incident Reporting and Response Planning

CIP-009-1 Recovery Plans for Critical Cyber Assets

CIP-009-2 Cyber Security – Recovery Plans for Critical Cyber Assets

Another aspect of NERC’s CIP program is the Electric Sector Information Sharing and Analysis Center (ES-ISAC) is

responsible for dissemination of critical information regarding infrastructure protection to industry partners and

participants. The information provided by ES-ISAC includes vulnerability alerts, protection strategies and threat

levels.

US-CERT CSSP

The focus of the United States Computer Emergency and Response Team (US-CERT) is to provide response support

and defense against cyber-attacks for the Federal Civil Executive Branch as well as collaboration and information

sharing with state, local, industry and international partners. The US-CERT has coordinated with the Department of

Homeland Security Nation Cyber Security Division (DHS NCSD) to reduce risk in critical infrastructure through the

join Control System Security Program (CSSP). In addition to assessing and reducing risk in critical infrastructure the

CSSP coordinates activities to reduce the success and impact of attacks against critical infrastructure control

system through various risk-mitigation activities. Most of the efforts of the US-CERT CSSP are focused towards

dissemination of critical information regarding security threats and vulnerabilities and development of

recommended security best practices in collaboration with industry experts through the CSSP workgroup. Other

tools offered through the US-CERT CSSP include training courses geared towards control system security, the Cyber

Security Evaluation Tool (CSET) used to assess control system and IT network security practices, and numerous

documents pertaining to cyber security best practices, common vulnerabilities, and case studies.

OPERATING ENVIRONMENT AND TECHNOLOGY CONSIDERATIONS

Our SCADA network test bed consists of a few key pieces of hardware and software:

Hardware

o Siemens SCALANCE S612 Security Module

o Siemens SIPROTEC 4 7SJ61 Relay (Sensor)

Software

o Siemens Spectrum Power TG SCADA/EMS (HMI)

o Siemens SICAM PAS v6.00 (RTU)

o Siemens DIGSI (Software for SIPROTEC Protection Relays)

o Virtualization Software

o Vulnerability Assessment Software

SIEMENS SCALANCE S612 SECURITY MODULE

SCADA systems operate across large distances and are required transmit process information across Wide

Area Networks (WANs). It is therefore important to employ some sort of protection method to ensure the integrity

and confidentiality of this data. The SCALANCE S612 Security Module is used to provide point-to-point data

integrity and confidentiality within SCADA system networks by controlling data traffic to and from SCALANCE S612

cells. These devices will be used within our SCADA system test bed to protect information being transmitted

between our SCADA control center and substation RTUs across Wide and Local Area Networks.

This device, developed by Siemens, is designed to provide data protection to and from the SCALANCE cell

by being connected upstream from the devices to be protected. The SCALANCE device solves the problem of

security rule and configuration checks that hinder the transmission and use of information in real-time by

encrypting and sending data transmissions in real-time. The SCALANCE S612 can protect up to 32 devices and

supports a maximum of 64 VPN tunnels simultaneously.2

SIEMENS SIPROTEC 4 7SJ61 RELAY (SENSOR)

The SIPROTEC 4 7SJ61 Relay can be used to provide simple control of circuit-breaker and automation

functions3 and will be used in our SCADA system test bed to act as a sensor that performs our system’s process

data collection. The relays that will be used within our SCADA system will be operated and managed by Siemens

DIGSI 4 software, allowing the operator implement customized automation functions via the relays’ integrated

programmable logic (CFC).3

SIEMENS SPECTRUM POWER TG SCADA/EMS (HMI)

The Spectrum Power TG software is the supervisory control and data acquisition (SCADA) system within

our test bed. It is also the Human-Machine Interface (HMI) by which a human operator can view data from and

make decisions about a process.

According to Siemens, this software is the most reliable, scalable, flexible, highly available SCADA system

on the market and can be used to control various large scale infrastructures such as those of electric, gas, and

water utilities and railways. This system is scalable from a single Substation/RTU to the world’s largest control

centers with a hierarchical system capable of linking in infinite number of systems. 4

SIEMENS SICAM PAS V6.00 (RTU)

SICAM PAS (Power Automation System) is a piece of software used in conjunction with Spectrum Power

TG software as a part of a SCADA system. The SICAM PAS software runs on and acts as a Remote Terminal Unit

that is responsible for interpreting sensory data about a process and communicating this data to a control center

running the Spectrum Power TG software.

Siemens describes SICAM PAS as a computer-based information management system used to structure

the diverse substation information and ensure that it is used efficiently. This software can be implemented in a

distributed configuration, allowing the system to operate simultaneous on multiple systems. At the same time

SICAM PAS acts as a gateway, requiring only one connection to higher-level control centers.5 SICAM PAS can use

existing hardware components and communication standards as well as their connections.5

SIEMENS DIGSI 4

The Siemens DIGSI 4 software is used for configuration, operation and organization of Siemens SIPROTEC

protection relays. This software will be used in this capacity to support the SIPROTEC Relays used in our SCADA

system test bed to retrieve simulated “process information”.

DIGSI 4 is considered Siemens easy-to-use and user-friendly solution for commission and operation of

Siemens protection devices. This system integrates password protection to restrict access for different jobs only

authorized staff. The DIGSI software allows for easy of use of PLCs with a graphical editor without any

programming skills.6 Additionally, DIGSI remote allows access to process data and event logs from a remote station

when the location of a relay station may be far away.

VIRTUALIZATION SOFTWARE

In order to provide virtualized substations for the test bed, we will be using VmWare ESXi Hypervisor

Operating System to host all the virtual machines. This OS is used by many companies for their virtual platform. It

allows easy control over Virtual Machines by using a VSphere client to connect to the VmWare Server. VmWare

ESX also has the ability for virtual machine templates. Meaning that we can setup a RTU the way we want and then

we can deploy many RTU’s from that one RTU.

VULNERABILITY ASSESSMENT SOFTWARE

We plan to use a variety of free and open source software to conduct our vulnerability assessment. As a

starting point, we plan on using NMap, Wireshark, and the Backtrack distribution of Linux.

Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services

(application name and version) those hosts are offering, what operating systems (and OS versions) they are

running, what type of packet filters/firewalls are in use, and dozens of other characteristics.7

Wireshark is the world's foremost network protocol analyzer, and is the de facto standard across many

industries and educational institutions. It allows for deep inspection of hundreds of protocols, live capture and

offline analysis of network traffic, and the most powerful display filters in the industry. 8

BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to

perform assessments in a purely native environment dedicated to hacking. BackTrack promotes a quick and easy

way to find and update the largest database of security tools collection to-date.9

EXPECTED PROJECT DELIVERABLES

VIRTUALIZED TEST BED

One of our goals is to have virtualized substations in the test bed. This will allow for scalability and ease of

configuration for the test bed. The virtualized test bed will be delivered in April of 2011.

VULNERABILITY ASSESSMENT AND FIXES

The main goal of this test bed is to find cyber-security flaws and find ways to fix them. Our plan is to first find

exploits for the SCADA system, then assess the effect of the attack on the system and then finally provide fixes to

the exploit. This will be an ongoing task and will be delivered at the end of the project, in May 2011.

PHYSICAL REPRESENTATION OF RELAY OUTPUTS

This is an optional deliverable, but we would still like to include it in our report. This physical representation of the

relay outputs will take information from virtualized relays and then map them to a physical representation. We are

thinking that we could have a map with LEDs to represent a “real world” power grid. This would help us

demonstrate the test bed to those not familiar with the technology. If able to, we plan to deliver this in May 2011.

REQUIREMENTS

FUNCTIONAL REQUIREMENTS

VIRTUALIZATION

Create a virtualized platform that allows network stack inspection.

o Creating a virtualized platform will be the basis of adding more substations to the current test

bed. Since we are limited on financial resources, we are unable to purchase more SIPROTEC

Relays and SCALANCE devices. We need a virtualized platform that will allow virtual substations

that can connect to the physical test bed. We also need this platform to have the ability of

network stack inspection in order for us to test cyber-attack scenarios.

Create virtualized images for RTUs, Control Center, firewalls and Relays

o In order to fully virtualize a substation, we will need to create virtual images for each segment of

the substation. Creating a virtualized image for the RTU should be somewhat basic since it is a

software application that runs on Windows. Creating a virtualized relay will be more difficult

since it will require finding a relay simulator that can communicate with the RTU. We can use an

open source firewall solution to simulate the SCALANCE firewalls.

Virtualized system should be scalable to provide more realistic scenarios.

o We want this system to be scalable to upwards of 30, if not more, substations. To be able to do

this, we will first need to purchase and install a physical virtual host server with properly

allocated physical resources. The substations should be deployed from the server.

CYBER SECURITY

Our analysis of vulnerabilities should follow industry’s best practices. We plan on touring the

MidAmerican Energy control center in Des Moines to see how they handle their security issues. We plan on

investigating other industry practices, and modeling our system after commonly used industrial techniques.

Additionally, attack scenarios should directly display power flow modification.

POWER SYSTEM INTEGRATION

Integrate DTS with current SCADA test bed

o We want to integrate our Dispatcher Training Simulator (DTS) in Spectrum Power TG into our test

bed. The DTS has power flow analysis abilities, and we want to use these to model a system and

make our cyber-attack scenarios more realistic. We need to figure out how the DTS operates and

use that knowledge to integrate the DTS into our SCADA system in real time.

Power Simulation should represent real world scenarios

o We want to integration between the Power Flow Simulation of the DTS and the test bed to be

able to represent real world scenarios. This will make the test bed more realistic and applicable

to the world’s SCADA systems.

NON-FUNCTIONAL REQUIREMENTS

We have a few minor requirements that we have deemed “non-functional”:

Minimal configuration on virtual image deployment

o We want our system to be easy to set up and analyze. We don’t want to have to configure each

of our virtual images individually.

Images should have backups to prevent loss

o We are currently using one external hard drive to accomplish this task, but we are looking into

other solutions.

Attack scenarios can be demonstrated without requiring detailed information on attack functionality

o The simpler we make our system to operate, the easier it will be to demonstrate it to the Senior

Design Review Board and others who wish to see a demonstration.

All test equipment should function correctly

Power flow system should be easily interpreted

o Again, we want observers to understand what’s happening in our system. If the casual viewer

can’t easily understand what’s going on, they will lose interest.

OPTIONAL REQUIREMENTS

Power system should be represented physically

o This will help observers quickly and easily understand the implications of a cyber-security attack.

We are considering using a LED display to model transmission lines, substations, relays,

generators, and loads. This LED display would make our SCADA system very easy to

conceptualize, and it will make our system look more attractive and functional to observers.

WORK PLAN

TASKS

We are focusing on three task area’s for this project; Virtualization, Power Flow Integration and System

Vulnerability Assessment. Below are the detailed tasks for each.

• Virtualization

– Test virtualization of substation on PC and make sure it integrates correctly.

– Install and deploy physical server.

– Deploy and test virtual substations. Integrate with test bed.

– Develop physical representation of substation relays and integrate with test bed.

• Real-Time Implementation of Power Flow Software

– Network and software familiarization.

– Develop integration with physical test bed.

– Develop power system scenarios. Test the scenarios.

• System Vulnerability Assessment

– Research system and networking protocols

– Analyze network traffic.

– Create and test attacks.

– Assess the impact on the Virtualization and Power Flow components

– Provide fixes for attacks and make recommendations

SCHEDULE

Each team member is focusing on one of the specific areas as listed above. James is working on

Virtualization, Tony is working on Power Flow Integration and David is working on Cyber Security Analysis. Each

member will focus on their individual area with the main goal of providing better analysis of cyber security threats.

Below is a Gantt chart of our work schedule.

RISKS

The primary risk, at least initially, is a lack of training on our part. This is a complex, industrial grade

system that we are working on, and it requires a lot of training. Add to this the poor documentation that was sent

with the system, and we have a very high learning curve.

We also run the risk of breaking the system, or at least making it non-functional. This could happen through

improper usage, most likely through uploading bad configurations to the equipment. It is also possible that we

could corrupt the equipment with a successful attack.

A third possibility is finding that some of the equipment is malfunctioning. We have already had one of the

software’s USB authentication dongles go bad, which put’s the software back into demo mode and lets it run for a

maximum of three hours.

MITIGATION OF RISKS

We have hundreds of pages of manuals to learn from or to refer to if we have any questions. We also have

access to some grad students who are familiar with the test bed, who will provide some much needed expertise to

our project.

We need to ensure that ensure that devices can be restored to a working configuration. As such, we need to

make sure that we backup any and all working configurations. This way, if a configuration change seems to bring

down the system, we can compare the current configuration against one that we are certain is valid.

RESOURCE REQUIREMENTS

PERSONNEL

Labor for this project will be shared between the three project members. Given our project goals and

tasks, we have estimated a total of 500-600 hours we have to spend on this project. This will result in a total cost

of $10,000-12,000 (at $20/hr). This is a heavily research and development dependent project and the SCADA

software has an extremely high learning curve. In addition, we have an entire year’s worth of research to catch up

on. This means that the first few weeks will be spent primarily training.

HARDWARE

Since the test bed has already been established, there will be relatively few hardware expenditures. If we

are able to successfully virtualize a network of substations, we intend to purchase a server capable of sustaining as

large a virtual network as possible, though a good starting point is around 30 stations. We also want to make some

upgrades to the physical representation of the power grid. Our initial idea is to add a map or an LED board to give a

more visual representation of the network status.

PROJECT MILESTONES AND TRACKING

This project has multiple milestones in the progress of the tasks. For the virtualization segment, there are two

milestones. The first milestone is being able to prototype a complete virtual substation connected to the test bed.

The second milestone is connecting many, upwards of 30, substations to the test bed. In the Real-time Simulation

of Power flow, there are also two milestones. The first milestone is to be able to integrate real time simulation into

the test bed. The second is to simulate real-world scenarios with the test bed. In regards to the Cyber-Security

Analysis part of the project, no milestones were made, but this part is an ongoing cycle of testing an attack,

assessing the attacks effects and providing mitigation of attack.

SOFTWARE AND FACILITIES

The software costs will be zero. The Siemens SCADA software is already present, the VmWare’s

virtualization software has a free license option, and any security auditing tools we will be likely to use are free and

open source.

Personnel

500-600 hours $10,000-$12,000

Hardware

Virtualization Server $3000-$10,000

Power System Physical Representation $100-200

SIPROTEC 4 7SJ61 Relay s $0

SCALANCE S612 Security Module $0

Software

Spectrum Power TG SCADA/EMS (HMI) $0

SICAM PAS v6.00 (RTU) $0

DIGSI (Relay Configuration) $0

VmWare ESXi $0

NMap $0

Wireshark $0

BackTrack Linux $0

Total $13,100-$22,200

Table 1: Budget estimate

CLIENT INFORMATION

CLIENT AND FACULTY ADVISOR

Manimaran Govindarasu 3227 Coover Hall Ames IA 50011-3060 Email: gmani@iastate.edu

STUDENT TEAM MEMBERS

Tony Gedwillo 6212 Frederiksen Ct Ames, IA 50010 Email: gedwillo@iastate.edu James Parrott 416 Ash Ave Ames, IA 50014-7064 Email: jparrott@iastate.edu David Ryan 2304 Wallace Rambo Ames, IA 50012 Email:drryan50@iastate.edu

REFERENCES

1) http://www.inl.gov/scada/factsheets/d/nstb.pdf

2) http://www.automation.siemens.com/mcms/industrial-communication/en/ie/industrial-

security/scalance-s/Pages/scalance-s.aspx

3) http://www.energy.siemens.com/hq/en/automation/power-transmission-

distribution/protection/overcurrent-relays/siprotec-4-7sj61.htm

4) http://www.energy.siemens.com/us/en/automation/power-transmission-distribution/control-center-

and-energy-management-solutions/spectrum-power-scada-ems.htm

5) http://www.energy.siemens.com/us/en/automation/power-transmission-distribution/substation-

automation/sicam-pas/sicam-pas-software.htm

6) http://www.energy.siemens.com/hq/en/automation/power-transmission-

distribution/protection/software/digsi-4.htm

7) http://nmap.org/

8) http://www.wireshark.org/about.html

9) http://www.backtrack-linux.org/

10) Market and Litureature Survey information taken from previous senior design team May1013