goals the dnp3 protocol is widely used in electrical power systems as a means of communicating...
TRANSCRIPT
Goals• The DNP3 protocol is widely used in electrical power
systems as a means of communicating observed sensor state information back to a control center. We show a simple but effective attack to block legitimated traffic by overflowing the event buffer inside a data aggregator, and investigate the attack by
• Using a packet-based network simulation of the attack
• A Discrete Time Markov Chain (DTMC) model for understanding conditions under which the attack’s behavior
• Implement the attack using real SCADA system hardware and software in TCIPG lab, validate models
Research Results
• Implemented the buffer overflow attack in SEL3351 data aggregator. The data aggregator periodically polls two slave devices. The compromised slave sends overly many false alerts via unsolicited response and successfully blocks the other device’s alert event. To conduct the same test cases on SEL1102 and SEL3354 once they are in the TCIPG labs.
• Developed a full-stack DNP3 protocol running on top of both TCP and UDP in a discrete-event simulator, PacketSim. The DNP3 protocol is composed of a master service and an outstation service. SCADA devices such as control station, data aggregator and relay are represented as entities. Each entity has a master service or an outstation service or both.
• The DNP3 protocol in PacketSim currently supports the following actions:
A master device periodically polls the connected outstations.
An outstation sends unsolicited responses to its master.
A master sends control command to an outstation, such as trip/close a relay
Broader Impact
• Raise the awareness of the existence of very simple and effective flooding attack on real SCADA devices
• Provide simulation platform for assessing security vulnerabilities and proposed countermeasures in a realistic large-scale setting
Fundamental Questions/Challenges
• How can an attacker effectively block the awareness in a typical SCADA network with DNP3 by utilizing a compromised low-end slave device?
• When is the buffer overflow attack an actual attack? Can it be applied to many real devices?
• What are the countermeasures?
• How do we approach experimental design in the “security for power grid context”? What are the metrics? How best do we explore the design space?
Research Plan
• Configure the real SCADA devices testbed in TCIPG lab to form a typical architectures using DNP3 with a two level hierarchy, where a data aggregator device receives observation state from field devices, and the control center obtains the aggregated state from the data aggregator
• Develop programs to send user-controlled unsolicited response to the data aggregator
• Flood data aggregators with unsolicited responses in order to overflow the event buffer, and therefore block the pending alerts from normal field devices. The unsolicited response varies from one data point of single type to a group of data points of multiple types.
• Develop an analytical model using DTMC and queueing theory
• Develop a Möbius model and evaluate reward functions such as rate at which legitimate alerts are lost, and the delay of alerts that survive the attack
• Develop a simulation model in a packet-based network simulator, and evaluate its accuracy and performance in large scale.
Interaction with Other Projects• Leverage PowerWorld for importing realistic power data
• Construct and numerically evaluate models using Möbius
Future Efforts
• Assess security vulnerabilities in DNP3 protocol and DNP3 devices by utilizing the following tools:
Mu Dynamics 8000 (Fuzz Testing)
Triangle Microworks test harness (Emulation)
PacketSim (Simulation)
• Evaluate the DNP3 Security Authentication (DNP3 SA) protocol in terms of security and performance
• Further efforts developing SCADA protocols and devices models in large-scale network simulator
Trustworthy Cyber Infrastructure for the Power Grid • www.tcipg.orgUniversity of Illinois • Dartmouth College • Cornell University • UC Davis • Washington State University
An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems
Kevin Jin and David Nicol
Relay
Data Aggregator
… …
…
Control Station
Typical SCADA architectures using DNP3 with a two level hierarchy
μ Control Station Polling Rateλ1 Flooding Rate λ2 Data Aggregator Polling Rate
μ
λ1
λ2
`
`
Attacker
Normal Relay