Cyber Security of SCADA Systems Testbed Development Group

Cyber Security of SCADA Systems Testbed Development Group Members: Justin Fitzpatrick Rafi Adnan Michael Higdon Ben Kregel Adviser: Dr. Manimaran

What is SCADA? Supervisory Control and Data Acquisition

High Level Components n n n Human Machine Interface Remote Terminal Unit Sensors

SCADA Network Topology. . . 201 . . . 203 Host 1 Host 2 Control 129. 186. 5. 195 WWW . . . 193 Sub 1 Sub 2. . . 194 Relay 2 Relay 1. . . 217 Sicam 1. . . 213 Sicam 2. . . 210 . . . 218

Motivation n Reliability Protection against attack Proactive development of security compliance solutions

Requirements and Goals n Develop system software fluency n n Develop SCADA testbed n n Configure network communication Integrate hardware simulation n n Power TG Relays SCADA system security evaluation and testing

Constraints n n Time and scheduling resources Homeland security protocols Learning curve for equipment Limited test equipment 2 relays n 3 scalance units n

Project Design n Large project scope One piece at a time Small “experiments”

Schedule n Establish a software model Substations and generation n October 2009 n n Integrate hardware into software Establishes a full test bed n December 2009 n n Test vulnerabilities and holes in system n Jan-May 2010

Experiment 1 n Purpose n n Deliverables n n Understand software and devices Software guides and explanations Testing n Set-up/configuration of software and devices

Software and Devices n Software n Power. TG n n n DNP server SICAM PAS DIGSI SCALANCE configuration software Devices n n SCALANCE Relays

Experiment 2 n Purpose n n Connectivity within SCADA network Deliverables Network hardware setup (switches, Ethernet) n Power. TG can communicate with SICAM RTUs n n Testing RTUs connect to DNP server n Ability to trip (on/off) specific RTU relay n

SCADA Network Topology. . . 201 . . . 203 Host 1 Host 2 Control 129. 186. 5. 195 WWW . . . 193 Sub 1 Sub 2. . . 194 Relay 2 Relay 1. . . 217 Sicam 1. . . 213 Sicam 2. . . 210 . . . 218

DNP Server Connection

Tripping a Relay

Experiment 3 n Purpose n n Deliverables n n Implementation of SCALANCE units Insertion SCALANCE devices into Network as gatekeepers Testing n n RTUs connect to DNP server Ability to trip (on/off) specific RTU relay Block unauthorized connections Inability to create connections to the outside

SCALANCE Modules n n Will be primarily used for firewall and IPsec tunnel (VPN) Protocol Independent No repercussions when included in flat networks Protection for devices and network segments

Secured by Firewall n n Need to set up all rules for ingoing, outgoing packets via IP addresses Does not let anything else in our out Effectively the same as tunneling Very inconvenient

Security Topologies

Secured by IPsec Tunnels n n Only communication between SCALANCE devices allowed. All nodes behind SCALANCE can talk to other nodes behind SCALANCE devices. n n Dashed green lines on next slide No additional rules required. Add to group and automatically part of tunnel.

Security Topologies

NAT Router Mode n n All internal nodes send packets to the external network and keep their IP addresses hidden by the NAT functionality Used to protect IP address of each node behind SCALANCE device

Experiment 4 n Purpose n n Implementation of adjustable load on relay Deliverable Adjustable load connection to RTU relay n Power. TG automatically trips relay if load exceeds a pre-set threshold n n Testing n Relay trips when load exceeds threshold

SCADA Network Topology. . . 201 . . . 203 Host 1 Host 2 Control 129. 186. 5. 195 WWW . . . 193 Sub 1 Sub 2. . . 194 Relay 2 Relay 1. . . 217 Sicam 1. . . 213 Sicam 2. . . 210 . . . 218

Plan for Load Testing n Develop a variable load n n n Monitor load data with Power. TG Define low and high constraints n n Run load through relays Dependent upon observed load Operate relays n Open circuits

Experiment 5 n Purpose n n Security evaluation Deliverable Look for vulnerabilities n Development of attacks to penetrate SCADA network to perform malicious actions n n Testing n Play-out and determine if attacks are effective

Security Test Plan n Try and come up with attack scenarios Packet flooding n Compromising VPN security? n Physical intrusion n n Run attack/defense simulations n Use CSET to verify CIP compliance

Questions?