Download - SCADA control network
Copyright (c) 2008, All Rights Reserved. Iowa State University G. Manimaran & Chen-Ching LiuCPS-Energy Workshop-2009Page 1
SCADA control network
Vendor Personnel or
Site Engineers
Control Center Intranet
Substation Intranet
`
Modem
Other Intranets
Application Servers
IP: 10.0.1.1-5
SCADA Servers,
IP: 10.0.1.6-10
Database Servers,
IP: 10.0.1.11-15
` `
Corporate WAN
`
...IEDs
Data ConcentratorIP: 10.0.10.71
Frame Relay Network / Radiowave / Dedicated Line
Data ConcentratorIP: 10.0.10.70
EngineeringConsolesIP: 10.0.5.80-85
RouterIP: 10.0.5.102
User InterfacesIP: 10.0.1.30-40
Dispatcher Training SimulatorsIP: 10.0.1.50-55
User InterfacesIP: 10.0.10.1-3
Corporate WAN
GPS ReceiverIP: 10.0.0.10.55
Hackers
Remote Access Network through Dial-up, VPN, or
Wireless
Remote Access Connection through TCP/IP
Connection through DNP/Modbus Protocol
Router, 10.0.10.3
FirewallIP: 10.0.1.100
Firewall, IP: 10.0.1.101
Firewall, IP: 10.0.10.0
Wireless Hub, IP: 10.0.10.90
Modem
Modem
Application ServersIP: 10.0.5.150-155
FirewallIP: 10.0.5.101
Copyright (c) 2008, All Rights Reserved. Iowa State UniversityPage 2
Cyber-Security Threats to Power Grid
Internet-Based Attacks
Protocol Attacks
Intrusions
Worms / Trojan Horse /
Spyware
Routing Attacks
Denial of Service (DoS)
Copyright (c) 2008, All Rights Reserved. Iowa State UniversityPage 3
SCADA Network – Denial of service attack (model)
Controller Network Delay
Network Delay
Actuator
Sensor
Output
SubstationForward Delay
Backward Delay
Control Center
Reference
+
-
Schematic of SCADA System
Control Model of SCADA System
Control Center Network
Substation Automation Network
`
Application Servers
SCADA Servers,
Database Servers,
` `
...IEDs
Data Concentrator
User Interfaces
Dispatcher Training Simulators User
Interfaces
GPS ReceiverFirewall
Modem
Modem
Firewall
WAN
Router
RouterRouter
RouterRouter
Router
Latency increase impact the real-time operation of the system
Copyright (c) 2008, All Rights Reserved. Iowa State University G. Manimaran & Chen-Ching LiuCPS-Energy Workshop-2009Page 4
Cyber-Physical Risk Modeling & Mitigation Framework
Security Logs
System Event Logs
Gather information
Critical Alerts
System Health Messages
Physical AspectsCyber Aspects
File Integrity
Logs
Heterogeneous Correlation
Homogeneous Correlation
Correlate security event logs
Correlate system event logs
Correlate file integrity logs
Output Anomaly Detection
Correlate logs from Substations and Control
Center
Correlate the different type of logs from
control centers
Prevention Remedial
Decision Making
Suspend Suspicious Users
Change the Roles of User Privilege
Correct Voltage Problems
Relieve the Overloaded Lines
Cause Effect
What-If Scenarios?
Extract potential evidences
Formulate a hypotheses
Preventive /
Remedial Actions
Preventive / Remedial Actions
Preventive / Remedial Actions
Anomaly Detection
Real-Time Monitoring Responses
Impact Analysis
Copyright (c) 2008, All Rights Reserved. Iowa State UniversityPage 5
Research Challenges
Real-time temporal and spatial
correlations from substation level and
control center networks
Comprehensive validation using
analytical and simulation, and test bed evaluations for
directed and intelligent attacks
Integrated modeling of attacks and their impacts in terms of load loss, equipment damage, and economic loss
Relevant information from geographically dispersed substation network about potential suspicious activities, intrusions, in terms of severity
A Comprehensive vulnerability assessment framework includes