Protecting Power Grids from Cyber-

Attacks: the INSPIRE approach

Salvatore D’AntonioUniversity of Naples “Parthenope”Consorzio Interuniversitario Nazionale per l’Informatica (CINI)

6th ETSI Security Workshop

Sophia Antipolis, January 20, 2011

Setting up the scene

• Supervisory Control And Data Acquisition (SCADA) systems

are rapidly moving from closed solutions towards IP-based

integrated frameworks made of Commercial Off-The-Shelf

(COTS) components and using shared networks and standard

communication protocols

• This technological trend is bringing many advantages:

– The availability of a large base of standard and well-known

protocols

– The possibility of using shared and interconnected networks to

support distributed SCADA systems

– The deployment of IP-based services and applications on top

of SCADA systems

The other side of the coin

• Evidence is showing that Critical Infrastructures are exposed

to cyber-security risks

– Cyber-spies have penetrated the U.S. electrical grid and left behind

software programs that could be used to disrupt the system [Reuters]

– IT guys of electric utility companies or of the Department of Homeland

Security lose a lot of sleep over security exposure of their SCADA

systems

• The shared communication network has become an obvious

target for disrupting a SCADA infrastructure

– An attacker may exploit a vulnerability of the wireless trunk of a SCADA

communication infrastructure to prevent real-time delivery of SCADA

messages

– This would result in the loss of monitoring information or even of the

ability to control entire portions of the SCADA system

INSPIRE overview

• Two-year small or medium-scale focused

research project (STREP)

• Work programme topic addressed

– Objective ICT-SEC-2007.1.7: Critical Infrastructure – Objective ICT-SEC-2007.1.7: Critical Infrastructure

Protection (CIP)

• Start date:

– November 1, 2008

• End date:

– January 31, 2010

Objectives

• To analyze vulnerabilities which affect SCADA

systems

• To design an architectural framework for

SCADA systems monitoring, diagnosis and SCADA systems monitoring, diagnosis and

remediation

• To develop diagnosis and recovery techniques,

suited for SCADA systems

• To implement traffic engineering algorithms to

provide SCADA traffic with quantitative

guarantees

A bird’s eye view of the

INSPIRE framework

Monitoring

Remediation

Diagnosis

INSPIRE-International

• An international cooperation has been set up between

INSPIRE and the NSF-supported project “GridStat”

(www.gridstat.net) in the area of power grid protection

• GridStat is a novel publish-subscribe, QoS-managed

middleware framework that has been designed to middleware framework that has been designed to

enhance the resilience of electric power grid’s

communication network

• GridStat researchers are actively involved in the North

American Synchrophasor Initiative (NASPI;

www.naspi.org). Synchrophasors are considered to be a

key new technology for helping power grids be more

resilient, more efficient, etc.

Synchrophasor

• “ A Phasor Measurement Unit (PMU) is a device that

provides as a minimum synchrophasor and

frequency measurements for one or more three

phase AC voltage and/or current waveforms.”

Frequency monitoring system

architecture

Power GridPower Grid

Frequency ranges

FDR 604 (US) –

60 Hz, 110 V

FDR 808

(Italy) –50 Hz, 220 V

FDR 809

(Germany) –50 Hz, 220 V

Example of anomalies

60 -> 59.6

∆ ~= 0.4

59,99 -> 59.95∆ ~= 0.04

OpenPDC

• Troubles with Windows 7 and .NET 4.0

SQL Injection over OpenPDC

protected override void ProcessMeasurements(IMeasurement[] measurements)

{

foreach (IMeasurement measurement in measurements)

{

// Create the command string to insert the measurement as a record in the table.

StringBuilder commandString = new

StringBuilder("INSERT INTO Measurement VALUES ('");

commandString.Append(measurement.SignalID);commandString.Append(measurement.SignalID);

commandString.Append("','");

commandString.Append((long)measurement.Timestamp);

commandString.Append("',");

commandString.Append(measurement.AdjustedValue);

commandString.Append(')');

MySqlCommand command = new MySqlCommand(commandString.ToString(),

m_connection);

command.ExecuteNonQuery();

}

m_measurementCount += measurements.Length;

}

SQL Injection finding

• No sanitization of inputs

• No use of templates

• No integrity check of values coming from the

devicesdevices

=> potentially vulnerable to SQL injections

• Possibility to compromise stored values

• Possibility to insert unexpected values

• …

Future work

• Development of a new generation SIEM

(Security Information and Event Management)

framework for critical service infrastructures

– Multi-level and multi-domain security event – Multi-level and multi-domain security event

processing

– Predictive security monitoring

– Trustworthy and resilient event collection

• FP7 MASSIF project– www.massif-project.eu

http://www.inspire-strep.eu

More info

info@inspire-strep.eu

Coordinator:

Salvatore D’Antonio

salvatore.dantonio@uniparthenope.it

Thanks for your attention!Thanks for your attention!