read this smart grid security
TRANSCRIPT
-
7/29/2019 READ THIS Smart Grid Security
1/117
SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEM
SECURITY ISSUES AND COUNTER MEASURES
Raksha Sunku Ravindranath
B.E., Visveswaraiah Technological University, Karnataka, India, 2006
PROJECT
Submitted in partial satisfaction of
the requirements for the degree of
MASTER OF SCIENCE
in
COMPUTER ENGINEERING[use all caps]
at
CALIFORNIA STATE UNIVERSITY, SACRAMENTO
FALL[all caps]
2009
-
7/29/2019 READ THIS Smart Grid Security
2/117
ii
[Project Approval Page]
SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEMSECURITY ISSUES AND COUNTER MEASURES
A Project
by
Raksha Sunku Ravindranath
Approved by:
__________________________________, Committee Chair
Dr Isaac Ghansah
__________________________________, Second Reader
Dr. Jing Pang
____________________________
Date
-
7/29/2019 READ THIS Smart Grid Security
3/117
iii
Student: Raksha Sunku Ravindranath
I certify that this student has met the requirements for format contained in the University format
manual, and that this project is suitable for shelving in the Library and credit is to be awarded for
the Project.
__________________________, Graduate Coordinator ________________
Dr. Suresh Vadhva Date
Department of Computer Engineering
-
7/29/2019 READ THIS Smart Grid Security
4/117
iv
abstracts for some creative works such as in art or creative writing may vary somewhat, check
with your Dept. Advisor.]
Abstract
of
SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEM
SECURITY ISSUES AND COUNTER MEASURES
by
Raksha Sunku Ravindranath
This project discusses security issues, countermeasures and research issues in the Supervisory
Control And Data Acquisition (SCADA) system. SCADA system is used in power sector for
controlling and monitoring industrial processes. The major components in the SCADA system are
master terminal unit, remote terminal unit and the communication link connecting them.
Protocols used in this communication link are DNP3 (Distributed Network Protocol version 3.0)
and Modbus. Vulnerabilities in these components lie in policy, procedure, platform and protocols
used. Countermeasures for these vulnerabilities are deployment of firewalls, intrusion detection
system, wrapping protocols in secure layers, enhancing protocol structure etc. Some of these
countermeasures do not provide complete security and hence requires more research. A number
of issues that require more research are also recommended.
_______________________, Committee Chair
Dr Isaac Ghansah
_______________________
Date
-
7/29/2019 READ THIS Smart Grid Security
5/117
v
DEDICATION
Om Sai Ram
This project is dedicated to my lovely parents S.K Ravindranath, Asha Ravindranath, my dearly
brother Raghav Kishan S.R., and my inspirational grandparents Adinarayana Gupta and Latha
Gupta.
-
7/29/2019 READ THIS Smart Grid Security
6/117
vi
ACKNOWLEDGMENTS
It is a pleasure to thank everybody who helped me in successfully completing my Masters
Project.
First, my sincere thanks to my project supervisors, Dr. Isaac Ghansah, Professor, Computer
Science and Engineering, and Dr. Jing Pang, Associate Professor, Department of Electrical and
Electronic Engineering and Computer engineering, for giving me an opportunity to work under
their guidance, and for providing me constant support throughout the project.
I am also very grateful to Dr. Suresh Vadhva, Graduate Coordinator, Department of Computer
Engineering, for his invaluable feedbacks and suggestions.
My special thanks to my friend Vinod Thirumurthy who helped me in reviewing this report.
I would like to take this opportunity to acknowledge and appreciate the efforts of California State
University, Sacramento for its facilities and providing a good environment for the students to
prosper in their academic life.
Last but not least, I would like to thank my parents, S.K Ravindranath and Asha Ravindranath,
and my brother Raghav Kishan S.R. for their moral and financial support. I am very grateful for
their continuous support and never ending encouragement that they have provided throughout my
life.
-
7/29/2019 READ THIS Smart Grid Security
7/117
vii
[This Table of Contents covers many possible headings. Use only the headings that apply to
your thesis/project.]
TABLE OF CONTENTS
Page
Dedicationv
Acknowledgments........................................................................................................................... vi
List of Tables ................................................................................................................................. xii
List of Figures ............................................................................................................................... xiii
List of Abbreviations ..................................................................................................................... xv
Chapter
1 INTRODUCTION ..................................................................................................................... 1
1.1 Introduction To SCADA .................................................................................................... 2
1.2 SCADA System Components And Functions .................................................................... 4
1.3 Literature Review ................................................................................................................ 7
1.4 Conclusion .......................................................................................................................... 9
2 SCADA SYSTEM REQUIREMENTS AND THREATS ....................................................... 10
2.1 Requirements In A SCADA System ................................................................................. 10
2.2 Threats To SCADA Network ............................................................................................ 13
3 MASTER TERMINAL UNIT AND REMOTE TERMINAL UNIT VULNERABILITIES
AND COUNTERMEASURES ................................................................................................ 16
3.1 Introduction ....................................................................................................................... 16
3.2 Vulnerabilities In The SCADA System ............................................................................ 17
3.2.1 Public Information Availability ............................................................................... 21
3.2.2 Policy And Procedure Vulnerabilities ...................................................................... 22
3.2.3 Platform Vulnerabilities ........................................................................................... 24
-
7/29/2019 READ THIS Smart Grid Security
8/117
viii
3.2.3.1 Platform Configuration Vulnerabilities......................................................... 24
3.2.3.1.1 Operating System Related Vulnerabilities ..................................... 25
3.2.3.1.2 Password Related Vulnerabilities ................................................. 25
3.2.3.1.3 Access Control Related Vulnerabilities ......................................... 26
3.2.3.2 Platform Software Vulnerabilities ................................................................ 26
3.2.3.2.1 Denial Of Service ............................................................................ 26
3.2.3.2.2 Malware Protection Definitions Not Current And Implemented
Without Exhausting Testing ........................................................... 27
3.3 Countermeasures For MTU And RTU Security Issues .................................................... 27
3.3.1 Counter measures For Policy And Procedure Vulnerabilities ................................ 28
3.3.2 Regular Vulnerability Assessments ........................................................................ 28
3.3.3 Expert Information Security Architecture Design .................................................. 29
3.3.4 Implement The Security Features Provided By Device And System Vendors ....... 29
3.3.5 Establish Strong Controls Over Any Medium That Is Used As A Backdoor Into
The SCADA Network ............................................................................................. 30
3.3.6 Implement Internal And External Intrusion Detection Systems And Establish
24-hour-a-day Incident Monitoring ........................................................................ 30
3.3.7 Conduct Physical Security Surveys And Assess All Remote Sites Connected
To The SCADA Network ....................................................................................... 31
3.3.8 Firewalls And Intrusion Detection System ............................................................. 31
3.3.9 Electronic Perimeter ................................................................................................ 32
3.3.10 Domain-Specific IDS ............................................................................................ 33
3.3.11 Creating Demilitarized Zones (DMZs) ................................................................ 34
3.3.12 Low Latency And High Integrity Security Solution Using Bump In The Wire
Technology For Legacy SCADA Systems .......................................................... 35
-
7/29/2019 READ THIS Smart Grid Security
9/117
ix
4 DISTRIBUTED NETWORK PROTOCOL 3 VULNERABILTIES AND
COUNTERMEASURES .......................................................................................................... 39
4.1 Introduction To SCADA Communication Network ........................................................ 39
4.2 Some General Vulnerabilities In SCADA Network ........................................................ 41
4.3 SCADA Communication Protocols ................................................................................. 42
4.4 DNP3 Protocol ................................................................................................................. 42
4.4.1 Introduction To DNP3 Protocol ............................................................................. 42
4.4.2 DNP3 Communication Modes ................................................................................ 44
4.4.3 DNP3 Network Configurations ............................................................................... 44
4.4.4 DNP3 Data Link Layer ........................................................................................... 46
4.4.5 DNP3 Protocol LayerPseudo Transport Layer ................................................... 48
4.4.6 DNP3 Protocol LayerApplication Layer ............................................................. 48
4.5 DNP3 Protocol Vulnerabilities And Attacks .................................................................. 50
4.6 Countermeasures For Enhancing DNP3 Security ........................................................... 55
4.6.1 Solutions That Wrap The DNP3 Protocols Without Making ChangesTo The Protocols .................................................................................................... 55
4.6.1.1 SSL/TLS Solution .................................................................................... 56
4.6.1.2 IPSec (secure IP) Solution ....................................................................... 57
4.6.2 Enhancements To DNP3 Applications................................................................... 57
4.6.3 Secure DNP3 .......................................................................................................... 60
4.6.4 Distributed Network Protocol Version 3 Security (DNPSec) Framework............. 62
4.7 Comparison Of DNP3 Countermeasures ......................................................................... 65
5 MODBUS PROTOCOL VULNERABILITIES AND COUNTERMEASURES ................... 67
5.1 Introduction To Modbus Protocol .................................................................................... 67
-
7/29/2019 READ THIS Smart Grid Security
10/117
x
5.2 Protocol Specifics ............................................................................................................ 69
5.3 Modbus Serial Protocol ................................................................................................... 71
5.4 Modbus TCP protocol ...................................................................................................... 72
5.5 Vulnerabilities And Attacks In Modbus Protocol ............................................................ 73
5.5.1 Serial Only Attacks .............................................................................................. 73
5.5.2 Serial And TCP Attacks ........................................................................................ 74
5.5.3 TCP Only Attacks ................................................................................................. 75
5.6 Countermeasures For Enhancing Modbus Security ......................................................... 76
5.6.1 Secure Modbus Protocol ........................................................................................ 76
6 RESEARCH ISSUES .............................................................................................................. 89
6.1 Performance Requirements Of SCADA Systems ............................................................ 89
6.2 Authentication And Authorization Of Users At The Field Substations ........................... 89
6.3 Enhancing The Security Of Serial Communication ......................................................... 90
6.4 Access Logs For The IEDs In Substations ..................................................................... 90
6.5 Attacks From Which Side Channel Information Can Be Obtained ................................. 90
6.6 Timing Information Dependency ..................................................................................... 91
6.7 Software Patches Update ................................................................................................. 91
6.8 Intrusion Detection Equipment For The Field Devices And The Control Systems ......... 92
6.9 Authentication Of The Users To Control System Equipment ......................................... 92
6.10 Legacy Systems With Limited Processing Power And Resources ................................ 92
6.11 Roles To Be Defined In The Control Center ................................................................. 93
7 CONCLUSION ........................................................................................................................ 94
7.1 Summary .......................................................................................................................... 94
-
7/29/2019 READ THIS Smart Grid Security
11/117
xi
7.2 Strengths and Weaknesses ............................................................................................... 96
7.3 Future Work ..................................................................................................................... 97
References ...................................................................................................................................... 98
-
7/29/2019 READ THIS Smart Grid Security
12/117
xii
LIST OF TABLES
Page
Table 3-1: List Of Potential And Present Vulnerabilities In MTU And RTUs.............................. 21
Table 4-1: Comparison Of Security Approaches ........................................................................... 59
Table 4-2: New Functions Codes Introduced To Support The Secure DNP3 Protocol ................. 62
Table 5-1: Functions Codes In A Modbus Protocol Frame ........................................................... 70
Table 5-2: Exceptions Functions Codes For Modbus Protocol ..................................................... 70
Table 5-3: Comparison Of Communication Latency ..................................................................... 83
Table 5-4: Comparison Of Packet Size .......................................................................................... 83
Table 5-5: Communication Latency With Modbus And Secure ModbusMaster Scan Rate Of 500ms And A Connection Timeout Of 1200ms ........................ 87
Table 5-6: Modbus/TCP And Secure Modbus/TCP Packets Size, Tested With
Different Functions ....................................................................................................... 87
Table 5-7: Communication Latency In The Different Communications Steps ............................. 88
-
7/29/2019 READ THIS Smart Grid Security
13/117
xiii
LIST OF FIGURES
Page
Figure 1-1 : Conceptual Smart Grid Architecture ........................................................................... 2
Figure 1-2: SCADA An Integral Component Of Smart Grid .......................................................... 3
Figure 1-3: SCADA System Components ....................................................................................... 4
Figure 3-1: Security Vulnerabilities Pattern .................................................................................. 18
Figure 3-2: Interconnected SCADA Network ............................................................................... 20
Figure 3-3: Basic Functions Of SCADA Security Policy .............................................................. 28
Figure 3-4: Firewall And Intrusion Detection System Implementation Between Enterprise
And SCADA Control System ..................................................................................... 32
Figure 3-5: Electronic Perimeter Implementation In SCADA System .......................................... 33
Figure 3-6: Demilitarized Zones Architecture ............................................................................... 34
Figure 3-7: Model For Bump In The Wire Approach .................................................................... 35
Figure 3-8: (a) YASIR Transmitter (b) Communication Link (c) YASIR Receiver ..................... 37
Figure 4-1: Modern SCADA Communication Architecture .......................................................... 40
Figure 4-2: DNP3 Network Configurations ................................................................................... 45
Figure 4-3: Design Progression From OSI To DNP3 .................................................................... 46
Figure 4-4: DNP3 Protocol Data link Layer Frame Structure ....................................................... 47
Figure 4-5:DNP3 Pseudo-Transport Message Fields ..................................................................... 48
Figure 4-6:DNP3 Application Message ......................................................................................... 50
Figure 4-7: Threat Categories For DNP3 ....................................................................................... 51
-
7/29/2019 READ THIS Smart Grid Security
14/117
xiv
Figure 4-8: Protocol Stack(Gray-background protocols are secured alternatives) ........................ 56
Figure 4-9: Authentication Using Authentication Octets .............................................................. 58
Figure 4-10: Message Sequence In Challenge-Response Mode .................................................... 61
Figure 4-11: Message Flow In Aggressive Mode .......................................................................... 61
Figure 4-12: DNPSec Protocol Structure ....................................................................................... 63
Figure 4-13: DNPSec Request/Response Link Communications .................................................. 64
Figure 5-1: Modbus Protocol And ISO/OSI Model Comparison .................................................. 67
Figure 5-2: Modbus Communication Stack ................................................................................... 68
Figure 5-3: Modbus Protocol Frame Format ................................................................................. 69
Figure 5-4: Modbus Serial Architecture ........................................................................................ 71
Figure 5-5: Modbus TCP Architecture .......................................................................................... 72
Figure 5-6: Secure Modbus Application Data Unit ....................................................................... 78
Figure 5-7: Modbus Secure Gateway ............................................................................................ 79
Figure 5-8: Secure Modbus Module .............................................................................................. 81
Figure 5-9: SCADA Test bed Developed To Verify Secure Modbus Protocol ............................. 82
Figure 5-10: High Level Secure Survivable Architecture.............................................................. 85
Figure 5-11: Filtering Unit Prototype ............................................................................................ 86
-
7/29/2019 READ THIS Smart Grid Security
15/117
xv
LIST OF ABBREVIATIONS
SCADA: Supervisory control and data acquisition
MTU: Master Terminal Unit
RTU: Remote Terminal Unit
DNP3: Distributed network protocol
SSL: Secure Socket Layer
TLS: Transport Layer Security
PLC: Programmable Logic Controller
IED: Intelligent Electronic Device
LAN: Local Area Network
PSTN: Public Switched Telephone Network
DHS: Department of Homeland Security
CSSP: Control Systems Security Program
NCSD: National Cyber Security Division
INEEL: Idaho National Engineering and Environmental Laboratory
NERC: North American Electric Reliability Council
CIP: Critical Infrastructure Protection
NIST: National Institute of Standards and Technology
PCSRF: Process Control Security Requirements Forum
PCSF: Process control system forum
IDS: Intrusion Detection Systems
DNS: Domain Name Service
FERC: Federal Energy Regulatory Commission
-
7/29/2019 READ THIS Smart Grid Security
16/117
xvi
DRP: Disaster Recovery Plan
DoS: Denial of Service
IEC: International Electro technical Commission
EPA: Enhanced Performance Architecture
CRC: Cyclic Redundancy Check
ICV: Integrity Check Value
HMAC: Hash-based Message Authentication Code
ASCII: American Standard Code for Information Interchange
PDU: Protocol Data Unit
MBAP: Modbus application protocol
NTP: Network Time Protocol
YASIR: Yet Another SecurIty Retrofit
BITW: Bump In The Wire
DMZ: Demilitarized Zones
-
7/29/2019 READ THIS Smart Grid Security
17/117
1
Chapter 1
INTRODUCTION
Presently the electric industry consists of a more centralized, producer- controlled network. The
transformation of this network to a more decentralized and consumer interactive network is the
Smart grid [1]. The need for smart grid has surfaced because the demand for power has been
increasing constantly. With the introduction of the smart grid, consumers will be empowered to
manage their energy usage in a more efficient and economical way. Smart grid will also allow
increase in the productivity and efficiency of how the power in delivered as well as improving
power reliability [1].
In addition to this, smart grid technology allows us to overcome the challenges such as increasing
power demand, aging utility infrastructure, and environmental impact of greenhousegases
produced during electric generation. With the deployment of smart grid, power can be used in a
more effective manner and also the carbon content in the environment can be reduced drastically.
Another advantage is reduction in the investment in primary equipment. Thus the main focus is to
make the grid more automated in order to provide the above functionalities. Figure 1-1 is a
conceptual architecture of the smart grid. Components named as generators, central power plant,
isolated microgrid in the figure are all connected through a Supervisory control and data
acquisition(SCADA) architecture [1].
-
7/29/2019 READ THIS Smart Grid Security
18/117
2
Figure 1-1 : Conceptual Smart Grid Architecture [30]
1.1 Introduction To SCADA
In addition to being used in electrical power system, SCADA is also used in other critical
infrastructures such as oil and gas refining systems, water supply, transportation. Critical
infrastructures that do not necessarily use the SCADA system we are discussing here include
telecommunications, banking and finance, emergency services etc. Clearly, critical infrastructure
is one of the most important factors supporting a nation's life. The figure 1-2 gives a high level
view of Smart grid and shows where the SCADA system lies in it. The enterprise, control center,
field area network and substation are all part of the SCADA architecture [1].
-
7/29/2019 READ THIS Smart Grid Security
19/117
3
Figure 1-2: SCADA As An Integral Component Of Smart Grid [29]
SCADA systems are widely deployed in Critical Infrastructure industries where they provide
remote supervisory and control. SCADA consists of automated processes developed to assist in
the management and control of the electrical power grid. SCADA consists of complex
interconnected control, which adds challenges to deliver secure and reliable service. The basic
function of a SCADA system is to monitor and control equipments that are responsible for
delivering power. Extended functionality of SCADA is fault detection, equipment isolation and
restoration, load and energy management, automated meter reading, and substation control. The
SCADA systems used today by the utilities were developed and deployed many years ago. At that
time there was no internet, public or private network. Hence, the only security threat was physical
destruction of the systems. With the introduction of equipment automation and deregulation,
SCADA systems needed to have some kind of interconnected network. The need for the remote
connections to these control devices exposed the network to a completely new set of
vulnerabilities [2].
-
7/29/2019 READ THIS Smart Grid Security
20/117
4
1.2 SCADA System Components And Functions
SCADA is a congregation of independent systems that measure and report in real time both local
and geographically remote distributed processes. It is a combination of telemetry and data
acquisition that enables a user to send commands to distant facilities and collect data from them.
Telemetry is a technique used in transmitting and receiving data over a medium. Data acquisition
is a method of collecting the data from the equipment being controlled and monitored. The layout
and functions of the SCADA system is discussed in this section [3].
Figure 1-3: SCADA System Components [4]
As shown in the figure 1-3, the fundamental components of the SCADA control system are the
master terminal unit, communication network and the remote terminal units. The supervisory
control and monitoring station, also called as the master terminal unit (MTU) consists of
-
7/29/2019 READ THIS Smart Grid Security
21/117
5
engineering workstation, human machine interface, application servers, and communications
router. The master terminal unit issues commands to distant facilities, gathers data from them,
interacts with other systems in the corporate intranet for administrative purposes, and interfaces
with human operators. The master terminal unit has full control on the distributed remote
processes. Commands sent from the MTU to distant facilities can be done either manually using a
human machine interface or by automation [4].
A human machine interface program runs on the master terminal unit computer. This basically
consists of a diagram which mimics the whole plant, making it easier to identify with the real
system. Every input/output point of the remote systems can be represented graphically with the
current configuration parameters being displayed. Configuration parameters such as trip values
and limits can be entered onto this interface. This information will be communicated through the
network and downloaded onto the operating systems of the corresponding remote locations which
would update all the values. A separate window with a list of alarms set up in the remote station
network can also be displayed. The window displays the alarm tag name, description, value, trip
point value, time, date and other important information. Trend graphs can also be displayed.
These graphs show the behavior of a certain unit by logging values periodically and displaying it
in a graph. If any abnormal behavior of the unit is seen then the appropriate actions can be taken
at the right time [4].
The remote sites in figure 1-3 are known as field sites. The field site basically consists of so
called field instrumentation, which are devices that are connected to the equipment or machines
being controlled and monitored by the SCADA system. The devices include sensors to monitor
certain parameters and actuators for controlling certain modules of the system. Other devices in
the field sites are controllers, pulse generators etc [4].
-
7/29/2019 READ THIS Smart Grid Security
22/117
6
These devices convert physical parameters to electrical signals which are readable by the remote
station equipment. The outputs can be read in either analog or digital form. Generally voltage
outputs have fixed levels like 0 to 5V, 0 to 10V etc. Voltage levels are transmitted when sensors
are located close to the controllers and current levels are transmitted when they are located far
from the controllers. Digital reading can be used to check if the system has been enabled or
disabled i.e. in operation or out of operation. Actuators help in sending out commands to the
equipment, i.e. turn on and off the equipment [4].
The field instrumentation we just described is interfaced with a controller called remote terminal
unit (RTU) or programmable logic controller (PLC). Both of them basically consist of a computer
controller which can be used for process manipulation at the remote site. They are interfaced
with the communication system connected to the master terminal unit (MTU). The PLC has very
good programmability features while RTUs have better interfaces to the communication lines.
The advancement in this area is the merging of PLC and RTU to exploit both the features. Hence
the overall function of this architecture is that the MTU communicates with one or more remote
RTUs by sending requests for information that those RTUs gather from devices, or instructions to
take an action such as open and close valves, turn switches on and off, etc [4].
An intelligent electronic device (IED) is a protective relay and communicates with the remote
terminal unit. A number of IEDs can be connected to the RTU. They are all polled and data is
collected. IEDs also have a direct interface to control and monitor sensory equipment. IEDs have
local programming thats allows it to act without commands from the control center. This makes
the RTU more automated and even the amount of communication with the MTU is reduced [4].
Communication medium used between MTU and RTU vary from wired networks such as public
switched telephone network to using wireless or radio networks. The MTU and the administrative
systems are connected in a LAN (Local Area Network). In the communication medium between
-
7/29/2019 READ THIS Smart Grid Security
23/117
7
MTU and RTU, the most commonly used protocols are distributed network protocol (DNP3) and
Modbus. DNP3 is an open standard and a relatively new protocol. The older systems use the
Modbus protocol. DNP3 and Modbus have been adopted by a number of vendors which support
the SCADA system. Both the DNP3 and Modbus protocols have been extended to be carried over
TCP/IP. Also connected to the control system discussed above, is an enterprise network. This
connectivity provides decision makers with access to real time information and allowing
engineers to monitor and control the control system [4].
The above architecture has number of vulnerabilities. The MTU and RTUs are connected via
internet, public switched telephone network (PSTN), cable or wireless. The most common
security issue in all the above communication networks is eavesdropping. Wireless and internet
are prone to replay attacks, denial of service attacks etc. Outside vendors, consumers, and
business partners can carry out attacks on this architecture since they are connected to the
enterprise network through internet connection shown in figure 1-3. Hence, these entities have
indirect access to the MTU since the enterprise network is connected to the control system.
Remote stations have communication interface which allows field operators to communicate via
wireless protocol or remote modem to perform maintenance operations. These operations are
done using handheld devices. When an unauthorized person gets access to this handheld device,
they could cause harm to the system. There are several more security issues in this architecture
and will be covered in this project [4].
1.3 Literature Review
In this section, we discuss work done on SCADA systems by other organizations and various
ways in which they are looking at security issues.
Critical infrastructure protection is of prime importance since it directly affects the citizens.
Department of Homeland Security (DHS) is responsible for infrastructure protection [5]. Two
-
7/29/2019 READ THIS Smart Grid Security
24/117
8
security programs, Control Systems Security Program (CSSP) of the National Cyber Security
Division (NCSD) were formed by the DHS. Their main task was identifying, analyzing, and
reducing cyber risks in control systems.
The Idaho National Engineering and Environmental Laboratory (INEEL) along with Sandia
National laboratory have created a SCADA test bed. The test bed consists of functional power
grid and wireless test bed. The test bed is used to validate all the developed protocols before
deploying into the real environment. The center for SCADA security has been formed in Sandia
National Laboratory where research, training, red teams, and standards development takes place.
Researchers at Sandia recently developed and published a SCADA Security Policy Framework
[6] which ensures all critical topics have been adequately addressed by specific policy.
Standard bodies such as NIST (National Institute for Standards and Technology), and NERC
(North American Electric Reliability Council) also work in addressing the control system
security. NERC has finalized cyber security standards [7] that will establish the requirements for
security management programs, electronic and physical protection, incident reporting, and
recovery plans, and the National Institute of Standards and Technology (NIST) through its
Process Control Security Requirements Forum (PCSRF) has defined a set of common security
requirements for existing and new control systems for various industries [8] [9].
Process control system forum (PCSF) founded in February 2005 has a mission to accelerate the
design, development, and deployment of more secure control and legacy systems that are crucial
to securing critical infrastructures. Many more organizations carry out lot of research work on
security SCADA systems. This project covers present and potential security issues in the SCADA
system. It also discusses few countermeasures which have been verified on the test bed developed
by the some of the above organizations [5].
-
7/29/2019 READ THIS Smart Grid Security
25/117
9
1.4 Conclusion
SCADA architecture facilitates the smart grid to meet its goals in a number of ways. For instance,
suppose the power requirements of industrial area is at its peak during the daytime and not so
much during the night time. In this case the utility can communicate to the SCADA network in
the power generation units to reduce the amount of power generated during down times. This
results in better utilization of power, reduction of the greenhouse effects and the carbon content in
the environment. Because hackers and disgruntled employees can also send such a signal to the
SCADA network, potentially causing instabilities in the power grid or send false signals, it is
important to research on the security issues in SCADA architecture so that it can be corrected.
The core of this project is to understand the SCADA architecture and find the current and
potential security vulnerabilities. The project also covers the counter measure techniques that can
be applied to combat these security issues. Research issues that still need to be explored are also
discussed in this project. Chapter 2 describes the requirements in a SCADA system and the
threats to SCADA system. Chapter 3 discusses about the master terminal unit and remote
terminal unit security issues and countermeasures. Chapter 4 and 5 discuss security issues and
countermeasures for DNP3 and Modbus communication protocols. Chapter 6 discusses the
research issues that still need more work on in order to provide good security. Chapter 7 gives the
conclusion, strengths, weaknesses and future work.
-
7/29/2019 READ THIS Smart Grid Security
26/117
10
Chapter 2
SCADA SYSTEM REQUIREMENTS AND THREATS
This chapter discusses the various requirements of a SCADA system that need to be satisfied
while developing security solutions. The threats faced by the SCADA system are also listed in
this chapter.
2.1 Requirements In A SCADA System
In order to find the security concerns in the present SCADA system and also develop security
measures it is important to learn about the requirements in a SCADA system [10]. The following
is a list of considerations when looking into the security of SCADA system
1. Some sections in the SCADA network are time critical systems. They can have anacceptable amount of delay and jitter but if they are not met it might hamper the
operation of the network. Also few sections in the architecture need deterministic inputs.
An example of deterministic system is digital systems which can have input values of
only 0 or 1 i.e. turn on or off the system. These performance requirements are highly
important for the normal operation of the network [10].
2. The availability SCADA system is extremely important. They should be available in atimely manner so that it doesnt hamper the processes which are continuous in nature.
Unexpected outages of these systems are not acceptable in the industrial control system.
Reason being it will cause a chain reaction and disturb a whole set of operating processes
and can bring down the system. In order to make sure that such an incident doesnt occur,
it is important to carry out the pre-deployment testing essential to ensure high availability
of the system. When unexpected outages occur, many control systems cannot be easily
stopped and started without affecting production. In some cases, the products being
-
7/29/2019 READ THIS Smart Grid Security
27/117
11
produced or equipment being used is more important than the information being relayed.
Therefore, strategies like rebooting the system would not be acceptable in few situations
because it may adversely affect the requirements of high availability, reliability and
maintainability of the SCADA system. One way to solve this is to have redundant
components installed and running in parallel, so that it will provide continuity when some
of the primary components are unavailable. Another advantage of this strategy is that
updating and maintaining the primary system can also be carried out since redundant
system can take over their functionalities for a period of time [10].
3. One of the most important requirements in any industrial system is managing risk.Human or personnel safety is of primary importance. Safety and fault tolerance would be
essential to prevent loss of life, endangerment of public health or confidence, loss of
equipment, loss of intellectual property, damage of products. Complying with regulatory
terms and conditions would help to satisfy the above concerns to a great extent. Also the
personnel who operate and maintain the SCADA system must understand the link
between safety and security. The personnel need to understand when security can be
compromised in order to provide safety [10].
4. In some architectures such as IT system it is important to protect the information whetherit is stored centrally or distributed. But in a SCADA system information that is stored and
processed centrally is more critical and needs more protection. For example information
stored in remote devices such as PLC, RTU are also important since they are directly
responsible for controlling the end processes. At the same time it is also equally
important to secure a SCADA systems central server because if it were compromised, it
would affect the edge devices also [10].
-
7/29/2019 READ THIS Smart Grid Security
28/117
12
5. if it were compromised, it would affect the edge devices also.SCADA system comprisesof many complex interactions and these translate into physical events. Consequently, all
security functions integrated into the SCADA must be tested (e.g., off-line on a
comparable SCADA) to prove that they do not compromise normal SCADA functionality
[10].
6. Time critical responses on a SCADA system should be handled carefully. Requirement ofpassword authentication on the human machine interface might interfere with the actions
needed to be taken, for instance, during emergencies. At the same time information flow
must not be interrupted or compromised. Because of that access to these systems should
mainly be restricted by physical security controls [10].
7. There are a lot of resource constraints in SCADA systems. Real time operating systemsare often constrained systems. This results in difficulty to add lots of security features
into the system i.e. they have limited computational and memory resources. Since
retrofitting the new security capabilities will eat away the resources and might slow down
the systems thereby not satisfying the requirement of time criticality. Another concern is
that third party security solutions when introduced into the SCADA architecture might
clash with the vendor license agreement and hence result in loss of support for that
equipment from that vendor [10].
8. Maintaining the integrity of the SCADA system is of paramount importance. For e.g.unpatched software represents one of the greatest vulnerabilities to a system. Because of
the nature of SCADA system, it is very hard to update the software regularly. There are a
number of steps that need to be carried before the update can be done on the system.
Thorough testing of updates needs to be done in an environment which can emulate the
industrial process system. Backup systems can be configured so that it can replace the
-
7/29/2019 READ THIS Smart Grid Security
29/117
13
primary systems during these updates. Revalidation of the updates must be carried out
before deploying it into the network. Sometimes there might be a case where the
operating system might no longer be supported by the vendor; hence patches may not be
useful for such systems. These updates on systems are also applicable to firmware and
hardware. This is one of the examples where integrity of the system might be
compromised. Hence this change in the management of the system must be thoroughly
assessed by engineers who have expertise in those areas before applied [10].
9. The lifetime of the components used in SCADA is often in the order of 15-20 years. Alsothe technology used here has been developed for very specific use. Hence when adding
security features care should be taken to ensure they remain effective and are available
over the entire lifetime of operation of the components [10].
2.2 Threats To SCADA Network
There are a number of threats to the SCADA network that can be classified into the following
categories [10].
Attackers: Attackers break into the network not to cause intentional harm but to explore
their hacking capabilities. There are attack scripts available on the internet for free and
can be used to attack the network. Hence even if the attacker does not have significant
amount of knowledge or skill, their actions can cause relative harm to the network. This
will not be harmful to the network if one person or few persons do it. However harm is
more likely when a large number of people are involved in hacking it. Also attacks tools
are readily available and have become so easy to use they pose a significant amount
threat to the SCADA network. It can cause brief disruption in the normal operation and
result in serious damage [10].
-
7/29/2019 READ THIS Smart Grid Security
30/117
-
7/29/2019 READ THIS Smart Grid Security
31/117
15
worms which are spread in the network and cause harm to files and hard drives can result
in very serious impact [10].
Terrorist Groups: These groups can cause harm to such large extent that it can result in
disrupting the daily life of people. They seek to destroy, incapacitate, or exploit the
network in order to threaten the national security, cause deaths, weaken the economy, and
to damage public morale and confidence. They use strategies such as causing harm on
one system so that attention can be diverted and then cause harm on other systems which
are not concentrated on during that time [10].
-
7/29/2019 READ THIS Smart Grid Security
32/117
16
Chapter 3
MASTER TERMINAL UNIT AND REMOTE TERMINAL UNIT VULNERABILITIES AND
COUNTERMEASURES
3.1 Introduction
SCADA system works with the corporate environment though it was originally designed to
operate as an individual unit. The core intention of the control system design is efficiency and
security. Another commonly observed activity with SCADA providers is the remote accesses to
perform routine maintenance jobs. Communication protocols of the SCADA are designed with
minimal security features. These above mentioned design and behavioral patterns are reasons for
the security weakness of the SCADA system. These vulnerabilities in a critical infrastructure
make it very susceptive to cyber attacks. Adversaries would be able to identify these
vulnerabilities and execute attacks. The effects of those attacks and their consequences are
discussed further below [10].
Physical impacts: Physical impacts consist of direct consequences of SCADA
disoperation. The potential effects of paramount importance include personal
injury or loss of life. Other effects include the loss of property (including data)
or damage to the environment.
Economics impacts: Economics impacts follow a physical impact from a cyber
intrusion. The ripple effect of physical impact could in turn cause a severe
economic loss on the facility or companies. Bigger impact of this would be
negative effect on the local, national or even the global economy.
-
7/29/2019 READ THIS Smart Grid Security
33/117
17
Social impact: The consequence of physical and economic damage would be
loss of public confidence and national confidence in the organization. This is
generally overlooked, however its a very real target and one that can be
accomplished through cyber attacks. Social impacts may possibly lead to
heavily depressed public confidence or the rise of popular extremism.
Because of the prevalent security threats and the corresponding magnitude of the consequence,
various organizations are carrying out study and research to combat attacks on the SCADA. The
intention is also to make a more secure SCADA system for future. In the following sections, the
master terminal unit and remote terminal unit platform vulnerabilities will be discussed.
Additionally, how these loop holes are being introduced and the effects on exploiting them are
covered here.
3.2 Vulnerabilities In The SCADA System
Figure 3-1 shows the security vulnerabilities pattern from 1995 to first half of 2003. The
exponential increase in vulnerabilities is due to the increased accessibility of the SCADA system
to the outside world [4].
-
7/29/2019 READ THIS Smart Grid Security
34/117
18
Figure 3-1: Security Vulnerabilities Pattern [4]
Source: GAO analysis based on Carnegie-Mellon Universitys CERT Coordination Center data
A general misconception about the SCADA system is The SCADA system resides on a
physically separate, standalone network. [11] Historically, most of the SCADA systems were
built before the other components of the network and it was separate from the rest of the network
as well, this has lead the IT managers to believe that these systems cannot be accessed from
corporate network or from the remote access point. Unfortunately, this belief is usually fallacious.
In reality the scenario is quite different, the SCADA network and the corporate networks are
more often bridged (Figure 1-3) due to recent changes in the information management practices.
The two changes that play key role are discussed in detail below
The first change is the growing demand for remote access computing which has
encouraged many utilities to establish connections to the SCADA system that
enables the SCADA engineers to remotely monitor and control the system from
points on the corporate network [11].
-
7/29/2019 READ THIS Smart Grid Security
35/117
19
The second main reason is information access to assist corporate decision. Many
utilities have allowed corporate connections to the SCADA systems, as it would
make instant access to critical information and operational status easier for the
higher management and corporate decision making processes [11].
The second false belief that is at large about the SCADA system is Connection between SCADA
systems and other corporate networks are protected by strong access control. [11] Many of the
interconnections between corporate networks and SCADA systems require the integration of
systems with different communications standards. This results in an infrastructure that is
engineered to move data successfully between two unique systems. Complexity arising from
integrating disparate systems overshadows the need to address the security risks that accompany
such network arrangements. As a result, access controls designed to protect SCADA systems
from unauthorized access through corporate networks are usually minimal, which is mainly due
the fact that the network managers often overlook key access points connecting these networks.
Strategic use of internal firewalls and intrusion detection systems (IDS), coupled with strong
password protection, is highly recommended [11].
The third misconception is SCADA systems require specialized knowledge, making it difficult for
the network intruders to access and control the SCADA system. [11] The reason behind this
misconception is an assumption that the intruders need to possess in-depth knowledge about the
SCADA design and implementation. These assumptions are inappropriate in the current utility
environment which is highly interconnected and vulnerable to cyber attacks. The figure 3-2 below
shows the highly interconnected SCADA network.
-
7/29/2019 READ THIS Smart Grid Security
36/117
20
Figure 3-2 : Interconnected SCADA Network [33]
Utility companiesbeing the one of the key components of the nations critical infrastructure is a
hot target for cyber terrorists as opposed to disorganized hackers. These attackers are highly
motivated, well-funded and may very well have insider knowledge about the system. Further, a
well equipped attacker with a sole intention to disrupt of operation of the SCADA will gain a
detailed understanding of the SCADA and its vulnerabilities by any means.
The following sections list the various vulnerabilities of the SCADA system. Some of the listed
ones are which are already present in the SCADA system while some are potential vulnerabilities.
The table 3-1 lists all the vulnerabilities and show if they are already present in the system or are
potential vulnerabilities.
-
7/29/2019 READ THIS Smart Grid Security
37/117
21
Vulnerability Potential/ Currently present in
SCADA system
Public Information Availability Present Vulnerability
Policy and Procedure vulnerabilities Potential Vulnerability
Platform Configuration vulnerabilities Potential Vulnerability
Table 3-1: List Of Potential And Present Vulnerabilities In MTU And RTUs
3.2.1 Public Information Availability
Often, too much information about a utility company corporate network is easily available
through routine public queries. This information can be used to initiate a more focused attack
against the network [11]. Examples of this vulnerability are listed below:
Websites often provide data useful to network intruders about company structure, employee
names, e-mail addresses, and even corporate network system names
Domain name service (DNS) servers permit zone transfers providing IP addresses, server
names, and e-mail information
The availability of this infrastructure and vulnerability data was demonstrated earlier this year by
a George Mason University graduate student, whose dissertation reportedly mapped every
business and industrial sector in the American economy to the fiber optic network that connects
themusing material that was available publicly on the Internet, none of which was classified
[4]. Many of the electric utility officials who were interviewed for the National Security
Telecommunications Advisory Committees Information Assurance Task Forces Electric Power
-
7/29/2019 READ THIS Smart Grid Security
38/117
22
Risk Assessment expressed concern over the amount of information about their infrastructure that
is readily available to the public.
In the electric power industry, open sources of informationsuch as product data and educational
videotapes from engineering associationscan be used to understand SCADA of the electrical
grid. Other publicly available informationincluding filings of the Federal Energy Regulatory
Commission (FERC), industry publications, maps, and material available on the Internetis
sufficient to allow someone to identify the most heavily loaded transmission lines and the most
critical substations in the power grid [11].
In addition, significant information on control systems is publicly availableincluding design
and maintenance documents, technical standards for the interconnection of control systems and
RTUs, and standards for communication among control devicesall of which could assist
hackers in understanding the systems and how to attack them. Moreover, there are numerous
former employees, vendors, support contractors, and other end users of the same equipment
worldwide with inside knowledge of the operation of control systems [11].
3.2.2 Policy And Procedure Vulnerabilities
Some of the potential vulnerabilities in the SCADA system as discussed by NIST (National
Institute of Standards and Technology) in one of its papers presented on Guide to Industrial
Control Systems Securities have been listed below [10]
1. Inadequate security policy for the SCADA: Vulnerabilities are often introduced intoSCADA due to inadequate policies or the lack of policies specifically for control system
security [10].
-
7/29/2019 READ THIS Smart Grid Security
39/117
23
2. No specific or documented security procedures were developed from the security policyfor the SCADA: Specific security procedures should be developed and employees trained
for the SCADA. They are the roots of a sound security program [10].
3. Absent or deficient SCADA equipment implementation guidelines: Equipmentimplementation guidelines should be kept up to date and readily available. These
guidelines are an integral part of security procedures in the event of an SCADA
malfunction [10].
4. Lack of administrative mechanisms for security enforcement: Staff responsible forenforcing security should be held accountable for administering documented security
policies and procedures [10].
5. No formal SCADA security training and awareness program: A documented formalsecurity training and awareness program is designed to keep staff up to date on
organizational security policies and procedures as well as industry cyber security
standards and recommended practices. Without training on specific SCADA policies and
procedures, staff cannot be expected to maintain a secure SCADA environment [10].
6. Inadequate security architecture and design: Control engineers have historically hadminimal training in security and until relatively recently vendors have not included
security features in their products [10].
-
7/29/2019 READ THIS Smart Grid Security
40/117
24
7. Few or no security audits on the SCADA: Independent security audits should review andexamine a systems records and activities to determine the adequacy of system controls
and ensure compliance with established SCADA security policy and procedures. Audits
should also be used to detect breaches in SCADA security services and recommend
changes, which may include making existing security controls more robust and/or adding
new security controls [10].
8. No SCADA specific continuity of operations or disaster recovery plan (DRP): A DRPshould be prepared, tested and available in the event of a major hardware or software
failure or destruction of facilities. Lack of a specific DRP for the SCADA could lead to
extended downtimes and production loss [10].
9. Lack of SCADA specific configuration change management: A process for controllingmodifications to hardware, firmware, software, and documentation should be
implemented to ensure an SCADA is protected against inadequate or improper
modifications before, during, and after system implementation. A lack of configuration
change management procedures can lead to security oversights, exposures, and risks [10].
3.2.3 Platform Vulnerabilities
3.2.3.1 Platform Configuration Vulnerabilities
Earlier SCADA hardware, software, and network protocols were proprietary and not made
publicly accessible, making it more difficult for the hackers to attack the system as they did not
have knowledge about the system. However with growing competition and drive to perform
better and reduce cost has led organizations to make a transition from proprietary systems to
-
7/29/2019 READ THIS Smart Grid Security
41/117
25
standardized technologies such as Microsofts windows, UNIX operating systems and common
networking protocols used by the internet. As a consequence of using standardized solutions, we
have increased number of people with knowledge to wage attacks. The following is list of
vulnerabilities that could be potential threats to SCADA platform configuration [10].
3.2.3.1.1 Operating System Related Vulnerabilities
Since standard operating systems can be used off the shelf, it is a viable solution for the
organizations in terms of cost. However, there are numerous vulnerabilities associated with these
standard operating systems. Customized operating system is needed to meet the complexity of the
SCADA system. Developing patches to the standard operating system in order to meet SCADA
requirements might take a considerable amount of time. The period, during which the patch
development is taking place, the SCADA system with just the standard OS is prone to attacks.
These patches must go through exhaustive testing before they are deployed in the system, else
they will compromise the normal operation of the SCADA. Critical configurations are not stored
or backed up. Therefore in case of an emergency or outages these systems cannot be restored with
same secured configurations [10].
3.2.3.1.2 Password Related Vulnerabilities
The common password vulnerabilities (some might not apply to SCADA) are lack of adequate
password policy, password disclosure, password guessing. Password policies define when
passwords need to be used, how strong they must be and how they must be maintained. Password
disclosure relates to passwords being kept confidential. Password guessing relates to the
vulnerabilities introduced into the system when poorly chosen passwords are used.
Some of the above might be potential vulnerabilities in the SCADA system. For e.g. if systems do
not have appropriate passwords then they could provide unauthorized access to the system.
-
7/29/2019 READ THIS Smart Grid Security
42/117
26
Therefore a password policy is required. Some of the potential vulnerabilities in SCADA system
with respect to password disclosure are usage of unencrypted passwords and sharing passwords.
The policy should make sure that the passwords maintain their confidentiality [10].
Potential vulnerabilities can also be introduced into the system when passwords are poorly
chosen, usage of default password, and passwords that are not changed over a period of time.
Passwords must be implemented on all SCADA components but at the same time should ensure
that password authentication does not hamper emergency actions [10].
Some of the methods to combat these issues are with the usage of biometrics which will
authenticate the personnel with retinal scanning, finger print scanning, voice recognition etc. If all
these critical systems were kept in a particular secure enclosure installed with equipped with
cameras and video surveillance could track all the activities [10].
3.2.3.1.3 Access Control Related Vulnerabilities
Inadequately specified access control would result in SCADA user having too many or too few
privileges. The following exemplify each case: Consider a system that is configured to default
access control settings, this gives any operator the system administrative privileges. Second
scenario would be a system, which is improperly configured, could leave an operator with not
enough access rights to take corrective actions under emergencies [10].
3.2.3.2 Platform Software Vulnerabilities
3.2.3.2.1 Denial Of Service
Cyber-attacks that are based on denial of service (DoS) mechanisms, and others that spread due to
viruses and worms by causing a traffic avalanche in short durations, can potentially bring down
systems and cause a disruption of services and are known as Flood-based Cyber Attack Types.
-
7/29/2019 READ THIS Smart Grid Security
43/117
27
There is no well-known, fool-proof, defense against such cyber attacks in the computing
literature. Various effective ad- hoc solutions have been adopted on traditional computer
networks. If the access links that connect the SCADA network to the Internet are swamped by
heavy traffic caused by such attacks, it could prove disastrous as the control and supervisory data
(including alarms, IED data) flowing to the SCADA network could be lost in the network. The
gateway or firewalls installed to monitor the incoming traffic could be overloaded by the large
volumes of attack traffic. Thus the ability of the SCADA network to respond to actual failures
can be significantly affected. Also, the traffic flood could contain malicious messages that could
confuse the SCADA systems to a great extent [13].
3.2.3.2.2 Malware Protection Definitions Not Current And Implemented Without Exhausting
Testing
The presence of malicious software can result in system performance degradation, loss of vital
data and system dysfunctional behaviors [10]. The above issues can be avoided by the installation
of anti malware. But when this anti virus software is outdated or not thoroughly tested then same
software would cause more damage than protect the system. The reason is that the same
vulnerabilities are again present in the system but at the same time gives the operator a false sense
of security and therefore keeping him unaware of the problem. The SCADA operator will reside
under the confidence that anti virus is operational and is protecting the system.
3.3 Countermeasures For MTU And RTU Security Issues
As discussed in the previous section (specify section), the security issues in the master terminal
unit and remote stations lie mostly within the platform and policy. In this chapter we discuss
various ways to overcome these security issues.
-
7/29/2019 READ THIS Smart Grid Security
44/117
28
3.3.1 Counter measures For Policy And Procedure Vulnerabilities
Figure 3-3 is used to implement the security policies and procedure. The structure encompasses
all the security features that need to be covered in a security policy [12].
Figure 3-3: Basic Functions Of SCADA Security Policy [12]
Each block in the above chart and their functionality is described below. Detail documented list
of the overall security architecture of a system is in a security plan. Some areas covered in the
security plan are policies and procedures for operational security, user and data authentication,
backup policies etc. The implementation guide details on how the above security plans needs to
be implemented, where are all the relevant areas in the entire architecture, where it needs to be
implemented etc. Configuration management will include all the configuration details listed for
every equipment and all the relevant security policies that apply to them. Enforcement and
auditing makes sure that security policies, plan and implementation for each of the equipment is
done correctly and also maintained correctly [12].
3.3.2 Regular Vulnerability Assessments
-
7/29/2019 READ THIS Smart Grid Security
45/117
29
All the SCADA equipment has to be regularly assessed to check and see if there is an abnormal
operations taking place. These assessments must be done in a regular basis and should be
recurring. Along with the operational units, the other components of SCADA like the corporate
network, data base servers, local desktop computers used for customer management should be
assessed so that any unseen security gaps in this system can be overcome and increase protection
[13].
3.3.3 Expert Information Security Architecture Design
There are best practices that can be used to overcome most the security issues in the network.
Also a number of new technologies have been developed to combat vulnerabilities such as
malware attacks, unauthorized access to system. When these are installed into the system the
configuration should be such that there are no gaps. If they are not configured correctly then it
would not help to solve the issue. If the solution selected is not relevant to the security issue that
needs to be solved then it would be a waste in investment. In order to minimize these risks the
utility companies much hire security experts who can understand the architecture of the network
and propose solutions that exactly overcome the loop hole and does not introduce newer security
issues [13].
3.3.4 Implement The Security Features Provided By Device And System Vendors
Older SCADA networks did not have many security features to protect the system. The utility
companies which own the SCADA networks must ask the vendor to provide security patches to
the existing and system and also produce newer system with enhanced security features. Also
factory default security features should not be used because their intent is to provide excellent
usability and provide the minimum amount of security. When the default settings are being
-
7/29/2019 READ THIS Smart Grid Security
46/117
-
7/29/2019 READ THIS Smart Grid Security
47/117
31
3.3.7 Conduct Physical Security Surveys And Assess All Remote Sites Connected To The
SCADA Network
Automated systems in the SCADA network are most susceptible to attacks since they are
unmanned and unguarded. An inventory of all access points and carrying out physical security
checks regularly will help to keep a check on any new security issues. Identify and assess any
source of information including remote telephone/computer network/ fiber optic cables that could
be tapped; radio and microwave links that are exploitable; computer terminals that could be
accessed; and wireless local area network access points. Eliminate any points of failure. Prevent
unauthorized access to the websites within the enterprise intranet since they provide access to the
SCADA system [13].
3.3.8 Firewalls And Intrusion Detection System
Threats to SCADA network can come from malicious attackers via the internet and hence it is
important to monitor the traffic that flows into it. It is important that firewalls and other Intrusion
Detection Systems (IDS) (figure 3-4) be installed at the various ingress points (gateways) of the
SCADA network to identify malicious traffic before it is allowed to enter [14] [15]. This will
filter out some of the attacks but not all. Hence more rigorous scheme needs to be implemented to
overcome the attacks that still manage to flow through. Viruses and worms could swamp the
systems with huge volumes of attack traffic. Just having only firewalls and IDS at entry points
may not suffice. This leads to the concept of the electronic perimeter.
-
7/29/2019 READ THIS Smart Grid Security
48/117
32
Figure 3-4: Firewall And Intrusion Detection System Implementation Between Enterprise And
SCADA Control System [15]
3.3.9 Electronic Perimeter
Traffic flowing from outside sources reaches the gateway where a firewall restricts malicious
packets and allows the rest to flow through. The traffic that flows through might still have some
malicious packets which could harm the system. Beyond this gateway there is not much filtering
that takes place and hence it is important to define and electronic perimeter (figure 3-5) broader
so that it filtering takes place once before data reaches the gateway [14]. This perimeter can be
formed by multiple intrusion detection systems installed on a wider area. Huge volumes of traffic
can be handled by an extended perimeter as it would be possible to stop the attacks further away
from the SCADA network. This provides a number of advantages of providing an overlay
-
7/29/2019 READ THIS Smart Grid Security
49/117
33
network in a more distributed and collaborative fashion. It also provides a barrier that always only
legal traffic through.
Figure 3-5: Electronic Perimeter Implementation In SCADA System [31]
3.3.10 Domain-Specific IDS
The above-mentioned methods i.e. intrusion detection systems installation and electronic
perimeter make a baseline protection to provide normal system behavior. In addition, a
perspective on an intrusion can be developed by analyzing emerging characteristics. SCADA data
can be analyzed in order to look for such patterns. To identify these patterns it is important to
have some basic knowledge which is domain specific and also associated with communication
devices to construct an IDS attacks signature database. It would require intense analysis of the
interconnected grid in order to identify the attack patterns and study them and then generate
-
7/29/2019 READ THIS Smart Grid Security
50/117
34
signatures. However, once this is achieved, the observed behavior needs to be correlated to detect
potential intrusions and filter the attack traffic [14]. Hence IDS with these signatures and the
secure electronic perimeter can be made to work in a synchronized manner to combat the security
issues posed by malware.
3.3.11 Creating Demilitarized Zones (DMZs)
Demilitarized Zones created using firewalls can protect the SCADA network [33]. Multiple
DMZs can be created to separate functionalities and access previleges such as peer to peer
connections, the data historian, security servers, configurations servers etc. The figure 3-6 below
shows the creation of DMZs.
Figure 3-6: Demilitarized Zones Architecture [33]
All the connections can be routed through firewalls and administrators keep a diagram of the
local area network and its connections to protected subnets, DMZs, the corporate network, and
-
7/29/2019 READ THIS Smart Grid Security
51/117
35
the outside. Multiple demilitarized zones help from attacks such as virtual LAN hopping, trust
exploitation. Brings in a better security posture [33].
3.3.12 Low Latency And High Integrity Security Solution Using Bump In The Wire
Technology For Legacy SCADA Systems
The legacy SCADA systems, deployed without security in mind, are vulnerable to sniffing and
tampering issues today. The risk is increasing because security through obscurity is failing to
protect the system. Achieving security requires a solution, which can retrofit into the legacy
SCADA system. One such solution is Yet Another SecurIty Retrofit (YASIR) which is a bump
in the wire (BITW) solution for retrofitting security to time-critical communications in serial-
based SCADA systems [32]. The goals are to provide high security, low latency, at comparable
cost and using standard and patent free tools.
Figure 3-7: Model For Bump In The Wire Approach [32]
In the figure 3-7, the function of device denoted as S applied on message M which results in
frame F. At the receiving end the function of device denoted as D is applied on the message
received F. The output of the SCADA device D is a message or error. Device D takes a frame F
as input and output an error, if Ffails to pass certain conformance checks such as the random-
error detection, or else the corresponding original message M. Ideally, i.e. without the
-
7/29/2019 READ THIS Smart Grid Security
52/117
36
introduction of errors in the communication link the output from SCADA device D would be D
(F) = D (F) = D(S (M)) = M.
BITW solution adds to more modules i.e. transmitter T and receiver R. Output from the
transmitter over the insecure link would be T (F) = F~. Receiver R modeled as a function R that
takes in a transformed frame F~ and outputs either an error, or the corresponding original frame
F to be given to D. If no error was introduced into F~ then R(F~) = R(F~) = R(T(F)) = F
because F~ = F~. This provides data authenticity and discards messages from replay attacks.
The design of transmitter and receiver in YASIR approach is as follows. The transmitter applies
the encryption algorithm AES-CTR-128 on the frame F thereby providing confidentiality and
integrity for the message. Then a time stamp and a unique sequence number is appended to the
message for data authenticity and freshness. This solution also provides low latency by using the
AES-CTR algorithm. The transmitter relies on the stream nature of the AES-CTR. As and when
each byte of the frame F comes in, it will apply the encryption. There is an internal counter,
which keeps a count of every 4 bytes in frame F. Once whole message is received it will use the
HMAC on the cipher text and internal counter. An iterative HMAC function is used which
reduces the storage requirements and has lesser latency [32]. The steps are shown below.
1.Input frame F = s||H||P||e , s and e are special symbols indicating the start and end offrame. H is the header and P is payload.
2.CTXT = ENCRYPT (ctrT, H||P), ENCRYPTek is AES-CTR-128, ctrT is the counter.3.MAC = HMAC (ctrT ||CTXT), CTXT is cipher text from step 2 and HMAC is HMAC-SHA-
1-96.
4.SEQ = ctrT, SEQ is the sequence number.
-
7/29/2019 READ THIS Smart Grid Security
53/117
37
Therefore, there is not much delay except for time needed to decode symbols and frame
boundaries. The transmitter design is as follows. The input frame is decrypted and hash is
calculated. The steps are
1.MAC = HMAC(ctrR||CTXT),2.H'||P= ENCRYPT(ctrR,CTXT),3.If MAC = MAC then output the frame F = s||H||P||e. and increment ctrR by 1.4.If the calculated hash value does not match then report an error.
The figure 3-8 below describes the above steps with respect to latency. Shaded boxes indicate
values computed by the YASIR components. As shown in the figure in the receiver end the
frame structures are different for type I and type II protocols. Type I protocols are those which do
not have header information like Modbus. Type II protocols are those which have header
information [32].
Figure 3-8: (a) YASIR Transmitter (b) Communication Link (c) YASIR Receiver. [32]
-
7/29/2019 READ THIS Smart Grid Security
54/117
38
The above solution has to be tested in a real deployment of SCADA system and development of a
cost effective FPGA is underway [32].
-
7/29/2019 READ THIS Smart Grid Security
55/117
39
Chapter 4
DISTRIBUTED NETWORK PROTOCOL 3 VULNERABILTIES AND
COUNTERMEASURES
4.1 Introduction To SCADA Communication Network
In this chapter we now concentrate on how vulnerabilities are introduced in the SCADA
architecture from the communication perspective. The MTU and RTU use communication
medium ranging form wired medium to Wireless mediums. The protocols used for these
communications are discussed in this chapter. The protocol structures, vulnerabilities present in
the protocol and the countermeasures for each are discussed in the chapters 4, 5.
Development of SCADA architecture dates back to the 1900s when telemetry was introduced.
Telemetry involves the transmission and collection of data obtained by real time sensing
applications. As discussed in the introduction chapter, the basic architecture of SCADA consists
of receiving the data collected in the remote stations to the central processing station. The master
computers (MTUs) provide the information such as meter readings and equipment status to
human operators in a presentable form and allow the human operators to control the field
equipments or control devices automatically. The MTU initiates almost all communication with
remote sites [16].
The master terminal units basically consisted of mainframe computers which would present the
data to the human operator and they have to make the decisions to carry out the next steps. The
older SCADA networks were built to provide reliability and operability. Hence the MTU would
send commands over a 1200 baud communication line and the function of the RTU was to only
-
7/29/2019 READ THIS Smart Grid Security
56/117
40
execute the command and sense the new data and send it back to the MTU. The RTU units had no
local intelligence and hence just served the master [16].
With the advent of new communication technologies and communication medium the slower
communication channels in the older networks were starting to get replaced with the new
technologies. Hence getting rid of the slower communication lines and making the RTU more
intelligent increased SCADA networks overall processing power. The RTU was made more
intelligent with the introduction of the IED (intelligent electronic devices). IEDs are capable of
autonomously executing simple logic processes without involving the master computer. Hence
the RTU devices would provide a number of functionalities locally e.g. system protection (say,
from power surges), local operation capabilities, and data gathering/concentration from other
subsystems. The figure 4-1 gives an insight into the modern SCADA architecture [16]
Figure 4-1: Modern SCADA Communication Architecture [16]
-
7/29/2019 READ THIS Smart Grid Security
57/117
41
The misconception of SCADA network managers that the SCADA system cannot be accessed via
the corporate network was proved wrong with the introduction of the modern SCADA
architecture. The figure 4-1 also shows that the field data (obtained using RTUs and IEDs) is
transmitted over a wide range of communication lines and can even be accessed via a web
browser to SCADA users. Communication between various units in the architecture use Ethernet
or the internet technology. Hence they introduced the vulnerabilities which were inherent in
desktop computers on corporate networks [16].
4.2 Some General Vulnerabilities In SCADA Network
SCADA network infrastructure has been ever growing with modifications being introduced very
often to satisfy business and operational requirements. During this time there was very little
importance given to the security gaps introduced into the network. If these gaps are not filled,
then they could result in compromising the SCADA architecture to a number of attacks. It is
important to have a network architecture design which can differentiate between or segment the
networks into corporate, internet and SCADA network. It should not be so weak that if there is
an attack on the internet part of the architecture then it would affect and hence compromise the
SCADA network [16]. Some common architectural weaknesses are introduced when
1. The configuration of the web and email servers are not done correctly and henceunnecessarily provides internal corporate access.
2. Firewall protection, Intrusion detection system, Virtual Private Network not used whenconnecting to the network of the corporate partners
3. Dial-up modem access is authorized unnecessarily and maintenance dial-ups often fail toimplement corporate dial access policies
-
7/29/2019 READ THIS Smart Grid Security
58/117
42
When the SCADA system fails, there should be backup devices which can be used to restore the
functions of SCADA. By bringing the system back into operation system availability is not
hampered and hence preventing loss of data. There should be documentation of all these
procedures so that it would be easier to use the backup systems in case of failure of primary
systems in emergency situations [16].
There are number insecure connections in the SCADA network e.g. ports used for maintenance of
SCADA system, examination of the SCADA system, obtaining remote access to the system etc.
Since these links are unprotected with the absence of authentication or encryption it is highly
susceptible to attacks and hence results in compromise of the integrity of data transmitted [16].
4.3 SCADA Communication Protocols
The SCADA systems are built using public or proprietary communication protocols which are
used for communicating between an MTU and one or more RTUs. The SCADA protocols
provide transmission specifications to interconnect substation computers, RTUs, IEDs, and the
master station. The two most common protocols used are:
DNP3 (Distributed Network Protocol version 3.0)
Modbus
4.4 DNP3 Protocol
4.4.1 Introduction To DNP3 Protocol
DNP3 or Distributed Network Protocol Version 3.3 is a telecommunications standard that defines
communications between master stations, remote telemetry units (RTUs) and other intelligent
-
7/29/2019 READ THIS Smart Grid Security
59/117
43
electronic devices (IEDs). It was developed to achieve interoperability among systems in the
electric utility [17].
DNP3 was created as a proprietary protocol by Harris Controls Division initially for use in the
electrical utility industry. In November 1993 the protocol was made available for use by third
parties by transferring its ownership to the DNP3 User Group. DNP3 was designed specifically
for SCADA (supervisory control and data acquisition) applications. These involve acquisition of
information and sending of control commands between physically separate computer devices. It
is designed to transmit relatively small packets of data in a reliable manner [17].
A key feature of the DNP3 protocol is that it is an open protocol standard and it is one that has
been adopted by a significant number of equipment manufacturers. The benefit of an open
standard is that it provides for interoperability between equipment from different manufacturers.
This means for example that a user can purchase system equipment such as a maste