Cyber Security of SCADA Systems

TEAM:ANTHONY GEDWILLO (EE)JAMES PARROTT (CPRE)DAVID RYAN (CPRE)

CLIENT:DR. GOVINDARASU, IOWA STATE UNIVERSITY

Problem Statement

“Since the mid-1990’s, security experts have become increasingly concerned about the threat of malicious cyber att acks on the vital supervisory control and data acquisiti on (SCADA) systems used to monitor and manage our energy systems. Most SCADA system designs did not anti cipate the security threats posed by today ’s reliance on common soft ware and operati ng systems, public telecommunicati on networks, and the Internet.”

Operating Environment

User Interface Description

Our testbed will operate in a permanent locati on: Coover 3042.

Siemens Spectrum Power TG• This soft ware wil l

functi on as our Human-Machine Interface (HMI) for our SCADA Testbed

Functional RequirementsVirtualizati on

• Create a virtual ized platf orm that al lows network stack inspecti on.

• Create virtual ized images for RTUs, Control Center, fi rewal ls and Relays

• Virtual ized system should be scalable to provide more real isti c scenarios

Cyber Security• Produce report detai l ing security

vulnerabi l iti es of the system• Implement att acks discovered

during the vulnerabi l i ty assessmentPower System Integrati on

• Integrate DIgSILENT PowerFactory with SCADA test bed

• Power Simulati on should represent real world scenario

Non-Functional Requirements• Minimal confi gurati on on virtual image

deployment

• Images should have backups to prevent loss

• Att ack scenarios can be demonstrated without requiring detai led informati on on att ack functi onal ity

• Assessment shal l functi on as comprehensive documentati on on the security state of the system

• • All test equipment should functi on

correctly

• Power system should be represented in a manner that is easy to understand

Market Literature Survey

• Nati onal SCADA Test Bed (NSTB)

• North American Electricity and Reliabil ity Corporati on (NERC)• Criti cal Infrastructure Protecti on (CIP)

• United States Computer Emergency and Response Team (US-CERT)

Deliverables

A test bed that can be used both for demonstrati ons and for development of cyber security att acks.

• At least 15 nodes (Virtual and Physical Mixed)

• Cyber att acks we have created to demonstrate vulnerabil iti es

Resource Requirements

Personnel 500-600 hours $10,000-$12,000 Hardware Virtualization Server(?) $3000-$10,000SIPROTEC 4 7SJ61 Relay s $0SCALANCE S612 Security Module $0 Software Spectrum Power TG SCADA/EMS (HMI) $0SICAM PAS v6.00 (RTU) $0DIGSI (Relay Configuration) $0DIgSILENT PowerFactory (Power Flow) $0VmWare ESXi $0NMap $0Wireshark $0BackTrack Linux $0 Total $13,100-$22,200

Risks and Mitigation

Risks• Equipment Malfuncti on• Breaking the testbed:

- Improper Usage -Successful Att ack

Miti gati on:• Read the provided manuals• System Confi gurati on Back-Up

SCADA System with

Poor SecurityImprovement

Cycle

SCADA System with

Improved Security

System Configuration and Improvement

Vulnerability AssessmentAttack Scenario

Functional Decomposition•Our goal is to improve the cyber security of Supervisory Control and Data Acquisiti on (SCADA) systems

•We will construct a testbed that mimics a SCADA system

•We will be able to run “Improvement Cycles” on the system so a bett er understanding of its cyber security fl aws can be gained

Virtualization Design• Virtual RTUs and virtual relays will be installed on the

virtual machines.• These virtual machines will reside on the VmWare Server• These virtual machines will be connected to the SCADA

testbed• The virtual RTUs will communicate with the control center

over ethernet behind a physical SCALANCE or virtual firewall

Power Flow Simulation Design

DIgSilent PowerFactory

(OPC Client)

Virtal and Real SICAM PAS

(OPC DA Server)

Virtualized and Real Relays

Siemens Spectrum Power

TG (HMI)

OPC := OLE for Process ControlOLE := Object Linking and Embedding

Cyber Security Design• Will use vulnerability scanners to scan for potential

vulnerabilities• Document and assess this vulnerabilities for potential

attack• Implement an attack to exploit vulnerability,

documenting outcomes• Write a report with detail about vulnerabilities,

attacks and potential fixes.

Our SCADA network test bed consists of a few key pieces of hardware and software: • Hardware • Siemens SCALANCE S612 Security Module • Siemens SIPROTEC 4 7SJ61 Relay (Sensor)

• Software • Siemens Spectrum Power TG SCADA/EMS (HMI) • Siemens SICAM PAS v6.00 (RTU) • Siemens DIGSI (Software for SIPROTEC Protection

Relays) • VmWare ESXi 4.1• Nessus • Other Vulnerability Assessment Software

Software and Hardware Used

1. Validate the System– Eliminate any incorrect assumptions

2. Document Running Services– Evaluate possible network entry point into each

device– Check for glaring security holes (Open webserver,

mail server, etc.)3. Document Well-Known Vulnerabilities– Check for popular exploit opportunities (Windows,

Adobe Reader, Flash)

Vulnerability Assessment Test Plan

4. Document Implementation Specific Vulnerabilities– Vulnerabilities specific lab equipment and software

5. Attack Implementation– Implement Attack– Document Attack Procedure

6. Produce Report– Existing Vulnerabilities– Possible Impact– Possible Countermeasures

Vulnerability Assessment Test Plan

Prototype Implementations and Results• Delphin-Informatika IEC 61850 Simulator– Software Solution for use a virtual relay– Design for use with SICAM PAS and SIPROTEC Relays– Trial license; limited functionality; expensive– End result: chose to use another software solution

• Siemens Spectrum Power TG DTS– Dispatcher Training Simulator– Desired to have DTS read real time data points and update power flow

solution in real time– Siemens support period expired, bad/no documentation– End Result: Chose to use DIgSILENT PowerFactory instead

Current Project Status

Power Flow Simulation

Tony

• Create 9-Bus test case on DIgSilent (NOV 2010)

• Configure DIgSilent with OPC connectivity (FEB

2011)

• Expand Power System to 15 Busses (MAR 2011)

• Develop Display for testbed (OPTIONAL)

VirtualizationJames

• Setup virtual host and install virtual machines

• Setup a virtual RTU and connect to HMI

• Setup a virtual relay that can connect to RTU (FEB

2011)

• Create multiple substations in testbed

(MAR 2011)

Cyber AttacksDavid

• Port scan all devices

• Document services running on each port

• Search for well-known network/server side vulnerabilities

• Search for well-known client software vulnerabilities

• Search for lab-specific vulnerabilities (CONTINUAL)

• Create attacks for significant vulnerabilities (CONTINUAL)

• Analyze impact of attacks on system (CONTINUAL)

Plan for Next Semester• Virtualization• Need to finish implementing the virtual relay

simulator and connect it to system.• Work on implementing multiple virtual substations

into system• Create easy deployments for substations

• Power Flow Simulation• Configure DigSilent to integrate with testbed• Test out real world scenarios

• Cyber Attacks• Implement attacks against vulnerabilities• Document findings

Questions