protecting power grids from cyber- attacks: the inspire approach · 2011-01-20 · protecting power...
TRANSCRIPT
Protecting Power Grids from Cyber-
Attacks: the INSPIRE approach
Salvatore D’AntonioUniversity of Naples “Parthenope”Consorzio Interuniversitario Nazionale per l’Informatica (CINI)
6th ETSI Security Workshop
Sophia Antipolis, January 20, 2011
Setting up the scene
• Supervisory Control And Data Acquisition (SCADA) systems
are rapidly moving from closed solutions towards IP-based
integrated frameworks made of Commercial Off-The-Shelf
(COTS) components and using shared networks and standard
communication protocols
• This technological trend is bringing many advantages:
– The availability of a large base of standard and well-known
protocols
– The possibility of using shared and interconnected networks to
support distributed SCADA systems
– The deployment of IP-based services and applications on top
of SCADA systems
The other side of the coin
• Evidence is showing that Critical Infrastructures are exposed
to cyber-security risks
– Cyber-spies have penetrated the U.S. electrical grid and left behind
software programs that could be used to disrupt the system [Reuters]
– IT guys of electric utility companies or of the Department of Homeland
Security lose a lot of sleep over security exposure of their SCADA
systems
• The shared communication network has become an obvious
target for disrupting a SCADA infrastructure
– An attacker may exploit a vulnerability of the wireless trunk of a SCADA
communication infrastructure to prevent real-time delivery of SCADA
messages
– This would result in the loss of monitoring information or even of the
ability to control entire portions of the SCADA system
INSPIRE overview
• Two-year small or medium-scale focused
research project (STREP)
• Work programme topic addressed
– Objective ICT-SEC-2007.1.7: Critical Infrastructure – Objective ICT-SEC-2007.1.7: Critical Infrastructure
Protection (CIP)
• Start date:
– November 1, 2008
• End date:
– January 31, 2010
Objectives
• To analyze vulnerabilities which affect SCADA
systems
• To design an architectural framework for
SCADA systems monitoring, diagnosis and SCADA systems monitoring, diagnosis and
remediation
• To develop diagnosis and recovery techniques,
suited for SCADA systems
• To implement traffic engineering algorithms to
provide SCADA traffic with quantitative
guarantees
A bird’s eye view of the
INSPIRE framework
Monitoring
Remediation
Diagnosis
INSPIRE-International
• An international cooperation has been set up between
INSPIRE and the NSF-supported project “GridStat”
(www.gridstat.net) in the area of power grid protection
• GridStat is a novel publish-subscribe, QoS-managed
middleware framework that has been designed to middleware framework that has been designed to
enhance the resilience of electric power grid’s
communication network
• GridStat researchers are actively involved in the North
American Synchrophasor Initiative (NASPI;
www.naspi.org). Synchrophasors are considered to be a
key new technology for helping power grids be more
resilient, more efficient, etc.
Synchrophasor
• “ A Phasor Measurement Unit (PMU) is a device that
provides as a minimum synchrophasor and
frequency measurements for one or more three
phase AC voltage and/or current waveforms.”
Frequency monitoring system
architecture
Power GridPower Grid
Frequency ranges
FDR 604 (US) –
60 Hz, 110 V
FDR 808
(Italy) –50 Hz, 220 V
FDR 809
(Germany) –50 Hz, 220 V
Example of anomalies
60 -> 59.6
∆ ~= 0.4
59,99 -> 59.95∆ ~= 0.04
OpenPDC
• Troubles with Windows 7 and .NET 4.0
SQL Injection over OpenPDC
protected override void ProcessMeasurements(IMeasurement[] measurements)
{
foreach (IMeasurement measurement in measurements)
{
// Create the command string to insert the measurement as a record in the table.
StringBuilder commandString = new
StringBuilder("INSERT INTO Measurement VALUES ('");
commandString.Append(measurement.SignalID);commandString.Append(measurement.SignalID);
commandString.Append("','");
commandString.Append((long)measurement.Timestamp);
commandString.Append("',");
commandString.Append(measurement.AdjustedValue);
commandString.Append(')');
MySqlCommand command = new MySqlCommand(commandString.ToString(),
m_connection);
command.ExecuteNonQuery();
}
m_measurementCount += measurements.Length;
}
SQL Injection finding
• No sanitization of inputs
• No use of templates
• No integrity check of values coming from the
devicesdevices
=> potentially vulnerable to SQL injections
• Possibility to compromise stored values
• Possibility to insert unexpected values
• …
Future work
• Development of a new generation SIEM
(Security Information and Event Management)
framework for critical service infrastructures
– Multi-level and multi-domain security event – Multi-level and multi-domain security event
processing
– Predictive security monitoring
– Trustworthy and resilient event collection
• FP7 MASSIF project– www.massif-project.eu
http://www.inspire-strep.eu
More info
Coordinator:
Salvatore D’Antonio
Thanks for your attention!Thanks for your attention!