Upload File

goals the dnp3 protocol is widely used in electrical power systems as a means of communicating...

  • Home
  • Documents
  • Goals The DNP3 protocol is widely used in electrical power systems as a means of communicating observed sensor state information back to a control center
1
Goals The DNP3 protocol is widely used in electrical power systems as a means of communicating observed sensor state information back to a control center. We show a simple but effective attack to block legitimated traffic by overflowing the event buffer inside a data aggregator, and investigate the attack by Using a packet-based network simulation of the attack A Discrete Time Markov Chain (DTMC) model for understanding conditions under which the attack’s behavior system hardware and software in TCIPG lab, validate models Research Results Implemented the buffer overflow attack in SEL3351 data aggregator. The data aggregator periodically polls two slave devices. The compromised slave sends overly many false alerts via unsolicited response and successfully blocks the other device’s alert event. To conduct the same test cases on SEL1102 and SEL3354 once they are in the TCIPG labs. Developed a full-stack DNP3 protocol running on top of both TCP and UDP in a discrete-event simulator, PacketSim. The DNP3 protocol is composed of a master service and an outstation service. SCADA devices such as control station, data aggregator and relay are represented as entities. Each entity has a master service or an outstation service or both. The DNP3 protocol in PacketSim currently supports the following actions: A master device periodically polls the connected outstations. An outstation sends unsolicited responses to its master. A master sends control command to an outstation, such as trip/close a relay Broader Impact Raise the awareness of the existence of very simple and effective flooding attack on real SCADA devices Provide simulation platform for assessing security vulnerabilities and proposed countermeasures in a realistic large- scale setting Fundamental Questions/Challenges How can an attacker effectively block the awareness in a typical SCADA network with DNP3 by utilizing a compromised low-end slave device? When is the buffer overflow attack an actual attack? Can it be applied to many real devices? What are the countermeasures? How do we approach experimental design in the “security for power grid context”? What are the metrics? How best do we explore the design space? Research Plan Configure the real SCADA devices testbed in TCIPG lab to form a typical architectures using DNP3 with a two level hierarchy, where a data aggregator device receives observation state from field devices, and the control center obtains the aggregated state from the data aggregator Develop programs to send user-controlled unsolicited response to the data aggregator Flood data aggregators with unsolicited responses in order to overflow the event buffer, and therefore block the pending alerts from normal field devices. The unsolicited response varies from one data point of single type to a group of data points of multiple types. Develop an analytical model using DTMC and queueing theory Develop a Möbius model and evaluate reward functions such as rate at which legitimate alerts are lost, and the delay of alerts that survive the attack Develop a simulation model in a packet- Interaction with Other Projects Leverage PowerWorld for importing realistic power data Construct and numerically evaluate models using Möbius Future Efforts Assess security vulnerabilities in DNP3 protocol and DNP3 devices by utilizing the following tools: Mu Dynamics 8000 (Fuzz Testing) Triangle Microworks test harness (Emulation) PacketSim (Simulation) Evaluate the DNP3 Security Authentication (DNP3 SA) protocol in terms of security and performance Further efforts developing SCADA protocols and devices models in large- scale network simulator Trustworthy Cyber Infrastructure for the Power Grid www.tcipg.org University of Illinois Dartmouth College Cornell University UC An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems Kevin Jin and David Nicol Relay Data Aggregator Control Station Typical SCADA architectures using DNP3 with a two level hierarchy μ Control Station Polling Rate λ 1 Flooding Rate λ 2 Data Aggregator Polling Rate μ λ 1 λ 2 ` ` Attacker Normal Relay

Upload: darlene-arnold

Post on 17-Jan-2018

215 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Goals The DNP3 protocol is widely used in electrical power systems as a means of communicating observed sensor state information back to a control center

Goals• The DNP3 protocol is widely used in electrical power

systems as a means of communicating observed sensor state information back to a control center. We show a simple but effective attack to block legitimated traffic by overflowing the event buffer inside a data aggregator, and investigate the attack by

• Using a packet-based network simulation of the attack

• A Discrete Time Markov Chain (DTMC) model for understanding conditions under which the attack’s behavior

• Implement the attack using real SCADA system hardware and software in TCIPG lab, validate models

Research Results

• Implemented the buffer overflow attack in SEL3351 data aggregator. The data aggregator periodically polls two slave devices. The compromised slave sends overly many false alerts via unsolicited response and successfully blocks the other device’s alert event. To conduct the same test cases on SEL1102 and SEL3354 once they are in the TCIPG labs.

• Developed a full-stack DNP3 protocol running on top of both TCP and UDP in a discrete-event simulator, PacketSim. The DNP3 protocol is composed of a master service and an outstation service. SCADA devices such as control station, data aggregator and relay are represented as entities. Each entity has a master service or an outstation service or both.

• The DNP3 protocol in PacketSim currently supports the following actions:

A master device periodically polls the connected outstations.

An outstation sends unsolicited responses to its master.

A master sends control command to an outstation, such as trip/close a relay

Broader Impact

• Raise the awareness of the existence of very simple and effective flooding attack on real SCADA devices

• Provide simulation platform for assessing security vulnerabilities and proposed countermeasures in a realistic large-scale setting

Fundamental Questions/Challenges

• How can an attacker effectively block the awareness in a typical SCADA network with DNP3 by utilizing a compromised low-end slave device?

• When is the buffer overflow attack an actual attack? Can it be applied to many real devices?

• What are the countermeasures?

• How do we approach experimental design in the “security for power grid context”? What are the metrics? How best do we explore the design space?

Research Plan

• Configure the real SCADA devices testbed in TCIPG lab to form a typical architectures using DNP3 with a two level hierarchy, where a data aggregator device receives observation state from field devices, and the control center obtains the aggregated state from the data aggregator

• Develop programs to send user-controlled unsolicited response to the data aggregator

• Flood data aggregators with unsolicited responses in order to overflow the event buffer, and therefore block the pending alerts from normal field devices. The unsolicited response varies from one data point of single type to a group of data points of multiple types.

• Develop an analytical model using DTMC and queueing theory

• Develop a Möbius model and evaluate reward functions such as rate at which legitimate alerts are lost, and the delay of alerts that survive the attack

• Develop a simulation model in a packet-based network simulator, and evaluate its accuracy and performance in large scale.

Interaction with Other Projects• Leverage PowerWorld for importing realistic power data

• Construct and numerically evaluate models using Möbius

Future Efforts

• Assess security vulnerabilities in DNP3 protocol and DNP3 devices by utilizing the following tools:

Mu Dynamics 8000 (Fuzz Testing)

Triangle Microworks test harness (Emulation)

PacketSim (Simulation)

• Evaluate the DNP3 Security Authentication (DNP3 SA) protocol in terms of security and performance

• Further efforts developing SCADA protocols and devices models in large-scale network simulator

Trustworthy Cyber Infrastructure for the Power Grid • www.tcipg.orgUniversity of Illinois • Dartmouth College • Cornell University • UC Davis • Washington State University

An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems

Kevin Jin and David Nicol

Relay

Data Aggregator

… …

Control Station

Typical SCADA architectures using DNP3 with a two level hierarchy

μ Control Station Polling Rateλ1 Flooding Rate λ2 Data Aggregator Polling Rate

μ

λ1

λ2

`

`

Attacker

Normal Relay

DNP3 Master Protocol

DNP3 Communications Protocol

BE1-11f FEEDER PROTECTION SYSTEM - spader … (urhbull).pdf · The BE1-11f Feeder Protection System is a ... INSTRUCTION MANUAL DNP3 INSTRUCTION ... Interface for setting and communicating

SOFTWARE DOCUMENTATI ON DNP3 Configuration ...cdn.brodersen.com/wp-content/uploads/RTU32-DNP3-Slave-Device-Profile.pdfSOFTWARE DOCUMENTATI ON DNP3 Configuration/Interoperability Guide

Brodersen WITS-DNP3 Driver for RTU32 Series · WITS DNP3 - Introduction DNP3 WITS is an extension of the DNP3 protocol, developed by the UK Water Industry. WITS includes some additional

DNP3 Manual

DNP3 Polling

DNP3 (IEEE 1815) - freyrscada.comfreyrscada.com/docs/DNP3.pdf · DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation

DNP3 communication - Schneider Electricmt.schneider-electric.be/Main/Sepam/instructions/seped305001en.pdf · DNP3 communication DNP3 protocol 0 Protocol principle DE80014 DNP3 and

DNP3 Point List Manual

Dnp3 Tutorial

DNP3 Doc Library

Catapult DNP3 · controllers to your GE Proficy iFIX or CIMPLICITY HMI SCADA systems. Catapult DNP3 provides master communications to DNP3 slave devices. ... CATAPULT DNP3 1 …

Communication DNP3

DNP3 User Guide - Cellwatch Battery Monitoring Frontier DNP3 User...Frontier using DNP3, the Frontier’s interface must be configured to point back to a DNP3 server. A Primary Master

RTU32 DNP3 Slave Device Profile - Brodersenbrodersen.com/.../RTU32-DNP3-Slave-Device-Profile.pdf · SOFTWARE DOCUMENTATI ON DNP3 Configuration/Interoperability Guide for RTU32 DNP3

DNP3 Overview for AGA GTI Security Meeting in …trianglemicroworks.com/docs/default-source/referenced-documents/...DNP3 Device Profile Document DNP3 Implementation Table ... DNP V3.0

DNP3 communication - Directory listing of SN/Sepam 20,40... · DNP3 communication DNP3 protocol 0 Presentation Definition The DNP3 protocol specifies the coding of data and the rules

DNP3 AN2013-004 Validation of Incoming DNP3 Data

WWAC2014 DNP3 - Jeff Miller

DNP3 Communication Portfolio (FCN-500/FCN-RTU) · l DNP3 Communication Portfolio DNP3 Communication Portfolio is a POU that enables DNP3 communication protocol support devices to

PROTOCOLO DNP3

DNP3 with Campbell Scientific · DNP3 with Campbell Scientific Dataloggers What is DNP3? DNP3 (Distributed Network Protocol) is designed to optimize transmission of data and control

SCADAPack RTU DNP3

DNP3 Slave Protocol

PXM 4/6/8K DNP3 PXM 4/6/8K DNP3 Ethernet …pub/@electrical/... · 2 2. DNP3 Protocol Primer PXM 4/6/8K DNP3 Ethernet Communications User Manual MN150005EN January 2017 2.1.1 Master

Documento Fina dnp3

Protocolo de Telemetría DNP3

DNP3 User Guide - Cellwatch

ASE2000 Version 2 DNP3 Outstation Certification Testsase-systems.com/.../2015/08/ASE2000-Version-2-DNP3... · DNP3 Certification Test Procedures This document, an addendum to the

DNP3 communication - alo.home.pl SN/Sepam 20,40,60,80 DNP3 User...This document is not intended as an instruction manual for ... DNP3 communication DNP3 protocol 0 ... are defined

R2809018 (DNP3)

Deploying Secure DNP3 (IEEE 1815) What You Need to Know ... · DNP3 Authority Central application across multiple DNP3 networks •Interfaces to DNP3 Masters •Adds, removes, and

General 6SHFL¿FDWLRQV DNP3 Communication Portfoliol DNP3 Communication Portfolio DNP3 Communication Portfolio is a POU that enables DNP3 communication protocol support devices to

El Protocolo DNP3