smartgrid supervisory control and data acquisition (scada) system
TRANSCRIPT
SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEM
SECURITY ISSUES AND COUNTER MEASURES
Raksha Sunku Ravindranath
B.E., Visveswaraiah Technological University, Karnataka, India, 2006
PROJECT
Submitted in partial satisfaction of
the requirements for the degree of
MASTER OF SCIENCE
in
COMPUTER ENGINEERING[use all caps]
at
CALIFORNIA STATE UNIVERSITY, SACRAMENTO
FALL[all caps]
2009
ii
[Project Approval Page]
SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEM
SECURITY ISSUES AND COUNTER MEASURES
A Project
by
Raksha Sunku Ravindranath
Approved by:
__________________________________, Committee Chair
Dr Isaac Ghansah
__________________________________, Second Reader
Dr. Jing Pang
____________________________
Date
iii
Student: Raksha Sunku Ravindranath
I certify that this student has met the requirements for format contained in the University format
manual, and that this project is suitable for shelving in the Library and credit is to be awarded for
the Project.
__________________________, Graduate Coordinator ________________
Dr. Suresh Vadhva Date
Department of Computer Engineering
iv
abstracts for some creative works such as in art or creative writing may vary somewhat, check
with your Dept. Advisor.]
Abstract
of
SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEM
SECURITY ISSUES AND COUNTER MEASURES
by
Raksha Sunku Ravindranath
This project discusses security issues, countermeasures and research issues in the Supervisory
Control And Data Acquisition (SCADA) system. SCADA system is used in power sector for
controlling and monitoring industrial processes. The major components in the SCADA system are
master terminal unit, remote terminal unit and the communication link connecting them.
Protocols used in this communication link are DNP3 (Distributed Network Protocol version 3.0)
and Modbus. Vulnerabilities in these components lie in policy, procedure, platform and protocols
used. Countermeasures for these vulnerabilities are deployment of firewalls, intrusion detection
system, wrapping protocols in secure layers, enhancing protocol structure etc. Some of these
countermeasures do not provide complete security and hence requires more research. A number
of issues that require more research are also recommended.
_______________________, Committee Chair
Dr Isaac Ghansah
_______________________
Date
v
DEDICATION
¤ Om Sai Ram¤
This project is dedicated to my lovely parents S.K Ravindranath, Asha Ravindranath, my dearly
brother Raghav Kishan S.R., and my inspirational grandparents Adinarayana Gupta and Latha
Gupta.
vi
ACKNOWLEDGMENTS
It is a pleasure to thank everybody who helped me in successfully completing my Masters’
Project.
First, my sincere thanks to my project supervisors, Dr. Isaac Ghansah, Professor, Computer
Science and Engineering, and Dr. Jing Pang, Associate Professor, Department of Electrical and
Electronic Engineering and Computer engineering, for giving me an opportunity to work under
their guidance, and for providing me constant support throughout the project.
I am also very grateful to Dr. Suresh Vadhva, Graduate Coordinator, Department of Computer
Engineering, for his invaluable feedbacks and suggestions.
My special thanks to my friend Vinod Thirumurthy who helped me in reviewing this report.
I would like to take this opportunity to acknowledge and appreciate the efforts of California State
University, Sacramento for its facilities and providing a good environment for the students to
prosper in their academic life.
Last but not least, I would like to thank my parents, S.K Ravindranath and Asha Ravindranath,
and my brother Raghav Kishan S.R. for their moral and financial support. I am very grateful for
their continuous support and never ending encouragement that they have provided throughout my
life.
vii
[This Table of Contents covers many possible headings. Use only the headings that apply to
your thesis/project.]
TABLE OF CONTENTS
Page
Dedication…………………………………………………………………………………………v
Acknowledgments........................................................................................................................... vi
List of Tables ................................................................................................................................. xii
List of Figures ............................................................................................................................... xiii
List of Abbreviations ..................................................................................................................... xv
Chapter
1 INTRODUCTION ..................................................................................................................... 1
1.1 Introduction To SCADA .................................................................................................... 2
1.2 SCADA System Components And Functions .................................................................... 4
1.3 Literature Review ................................................................................................................ 7
1.4 Conclusion .......................................................................................................................... 9
2 SCADA SYSTEM REQUIREMENTS AND THREATS ....................................................... 10
2.1 Requirements In A SCADA System ................................................................................. 10
2.2 Threats To SCADA Network ............................................................................................ 13
3 MASTER TERMINAL UNIT AND REMOTE TERMINAL UNIT VULNERABILITIES
AND COUNTERMEASURES ................................................................................................ 16
3.1 Introduction ....................................................................................................................... 16
3.2 Vulnerabilities In The SCADA System ............................................................................ 17
3.2.1 Public Information Availability ............................................................................... 21
3.2.2 Policy And Procedure Vulnerabilities ...................................................................... 22
3.2.3 Platform Vulnerabilities ........................................................................................... 24
viii
3.2.3.1 Platform Configuration Vulnerabilities......................................................... 24
3.2.3.1.1 Operating System Related Vulnerabilities ..................................... 25
3.2.3.1.2 Password Related Vulnerabilities ................................................. 25
3.2.3.1.3 Access Control Related Vulnerabilities ......................................... 26
3.2.3.2 Platform Software Vulnerabilities ................................................................ 26
3.2.3.2.1 Denial Of Service ............................................................................ 26
3.2.3.2.2 Malware Protection Definitions Not Current And Implemented
Without Exhausting Testing ........................................................... 27
3.3 Countermeasures For MTU And RTU Security Issues .................................................... 27
3.3.1 Counter measures For Policy And Procedure Vulnerabilities ................................ 28
3.3.2 Regular Vulnerability Assessments ........................................................................ 28
3.3.3 Expert Information Security Architecture Design .................................................. 29
3.3.4 Implement The Security Features Provided By Device And System Vendors ....... 29
3.3.5 Establish Strong Controls Over Any Medium That Is Used As A Backdoor Into
The SCADA Network ............................................................................................. 30
3.3.6 Implement Internal And External Intrusion Detection Systems And Establish
24-hour-a-day Incident Monitoring ........................................................................ 30
3.3.7 Conduct Physical Security Surveys And Assess All Remote Sites Connected
To The SCADA Network ....................................................................................... 31
3.3.8 Firewalls And Intrusion Detection System ............................................................. 31
3.3.9 Electronic Perimeter ................................................................................................ 32
3.3.10 Domain-Specific IDS ............................................................................................ 33
3.3.11 Creating Demilitarized Zones (DMZs) ................................................................ 34
3.3.12 Low Latency And High Integrity Security Solution Using Bump In The Wire
Technology For Legacy SCADA Systems .......................................................... 35
ix
4 DISTRIBUTED NETWORK PROTOCOL 3 VULNERABILTIES AND
COUNTERMEASURES .......................................................................................................... 39
4.1 Introduction To SCADA Communication Network ........................................................ 39
4.2 Some General Vulnerabilities In SCADA Network ........................................................ 41
4.3 SCADA Communication Protocols ................................................................................. 42
4.4 DNP3 Protocol ................................................................................................................. 42
4.4.1 Introduction To DNP3 Protocol ............................................................................. 42
4.4.2 DNP3 Communication Modes ................................................................................ 44
4.4.3 DNP3 Network Configurations ............................................................................... 44
4.4.4 DNP3 Data Link Layer ........................................................................................... 46
4.4.5 DNP3 Protocol Layer – Pseudo Transport Layer ................................................... 48
4.4.6 DNP3 Protocol Layer – Application Layer ............................................................. 48
4.5 DNP3 Protocol Vulnerabilities And Attacks .................................................................. 50
4.6 Countermeasures For Enhancing DNP3 Security ........................................................... 55
4.6.1 Solutions That Wrap The DNP3 Protocols Without Making Changes
To The Protocols .................................................................................................... 55
4.6.1.1 SSL/TLS Solution .................................................................................... 56
4.6.1.2 IPSec (secure IP) Solution ....................................................................... 57
4.6.2 Enhancements To DNP3 Applications................................................................... 57
4.6.3 Secure DNP3 .......................................................................................................... 60
4.6.4 Distributed Network Protocol Version 3 Security (DNPSec) Framework............. 62
4.7 Comparison Of DNP3 Countermeasures ......................................................................... 65
5 MODBUS PROTOCOL VULNERABILITIES AND COUNTERMEASURES ................... 67
5.1 Introduction To Modbus Protocol .................................................................................... 67
x
5.2 Protocol Specifics ............................................................................................................ 69
5.3 Modbus Serial Protocol ................................................................................................... 71
5.4 Modbus TCP protocol ...................................................................................................... 72
5.5 Vulnerabilities And Attacks In Modbus Protocol ............................................................ 73
5.5.1 Serial Only Attacks .............................................................................................. 73
5.5.2 Serial And TCP Attacks ........................................................................................ 74
5.5.3 TCP Only Attacks ................................................................................................. 75
5.6 Countermeasures For Enhancing Modbus Security ......................................................... 76
5.6.1 Secure Modbus Protocol ........................................................................................ 76
6 RESEARCH ISSUES .............................................................................................................. 89
6.1 Performance Requirements Of SCADA Systems ............................................................ 89
6.2 Authentication And Authorization Of Users At The Field Substations ........................... 89
6.3 Enhancing The Security Of Serial Communication ......................................................... 90
6.4 Access Logs For The IED’s In Substations ..................................................................... 90
6.5 Attacks From Which Side Channel Information Can Be Obtained ................................. 90
6.6 Timing Information Dependency ..................................................................................... 91
6.7 Software Patches Update ................................................................................................. 91
6.8 Intrusion Detection Equipment For The Field Devices And The Control Systems ......... 92
6.9 Authentication Of The Users To Control System Equipment ......................................... 92
6.10 Legacy Systems With Limited Processing Power And Resources ................................ 92
6.11 Roles To Be Defined In The Control Center ................................................................. 93
7 CONCLUSION ........................................................................................................................ 94
7.1 Summary .......................................................................................................................... 94
xi
7.2 Strengths and Weaknesses ............................................................................................... 96
7.3 Future Work ..................................................................................................................... 97
References ...................................................................................................................................... 98
xii
LIST OF TABLES
Page
Table 3-1: List Of Potential And Present Vulnerabilities In MTU And RTUs.............................. 21
Table 4-1: Comparison Of Security Approaches ........................................................................... 59
Table 4-2: New Functions Codes Introduced To Support The Secure DNP3 Protocol ................. 62
Table 5-1: Functions Codes In A Modbus Protocol Frame ........................................................... 70
Table 5-2: Exceptions Functions Codes For Modbus Protocol ..................................................... 70
Table 5-3: Comparison Of Communication Latency ..................................................................... 83
Table 5-4: Comparison Of Packet Size .......................................................................................... 83
Table 5-5: Communication Latency With Modbus And Secure Modbus –
Master Scan Rate Of 500ms And A Connection Timeout Of 1200ms ........................ 87
Table 5-6: Modbus/TCP And Secure Modbus/TCP Packets Size, Tested With
Different Functions ....................................................................................................... 87
Table 5-7: Communication Latency In The Different Communications Steps ............................. 88
xiii
LIST OF FIGURES
Page
Figure 1-1 : Conceptual Smart Grid Architecture ........................................................................... 2
Figure 1-2: SCADA An Integral Component Of Smart Grid .......................................................... 3
Figure 1-3: SCADA System Components ....................................................................................... 4
Figure 3-1: Security Vulnerabilities Pattern .................................................................................. 18
Figure 3-2: Interconnected SCADA Network ............................................................................... 20
Figure 3-3: Basic Functions Of SCADA Security Policy .............................................................. 28
Figure 3-4: Firewall And Intrusion Detection System Implementation Between Enterprise
And SCADA Control System ..................................................................................... 32
Figure 3-5: Electronic Perimeter Implementation In SCADA System .......................................... 33
Figure 3-6: Demilitarized Zones Architecture ............................................................................... 34
Figure 3-7: Model For Bump In The Wire Approach .................................................................... 35
Figure 3-8: (a) YASIR Transmitter (b) Communication Link (c) YASIR Receiver ..................... 37
Figure 4-1: Modern SCADA Communication Architecture .......................................................... 40
Figure 4-2: DNP3 Network Configurations ................................................................................... 45
Figure 4-3: Design Progression From OSI To DNP3 .................................................................... 46
Figure 4-4: DNP3 Protocol Data link Layer Frame Structure ....................................................... 47
Figure 4-5:DNP3 Pseudo-Transport Message Fields ..................................................................... 48
Figure 4-6:DNP3 Application Message ......................................................................................... 50
Figure 4-7: Threat Categories For DNP3 ....................................................................................... 51
xiv
Figure 4-8: Protocol Stack(Gray-background protocols are secured alternatives) ........................ 56
Figure 4-9: Authentication Using Authentication Octets .............................................................. 58
Figure 4-10: Message Sequence In Challenge-Response Mode .................................................... 61
Figure 4-11: Message Flow In Aggressive Mode .......................................................................... 61
Figure 4-12: DNPSec Protocol Structure ....................................................................................... 63
Figure 4-13: DNPSec Request/Response Link Communications .................................................. 64
Figure 5-1: Modbus Protocol And ISO/OSI Model Comparison .................................................. 67
Figure 5-2: Modbus Communication Stack ................................................................................... 68
Figure 5-3: Modbus Protocol Frame Format ................................................................................. 69
Figure 5-4: Modbus Serial Architecture ........................................................................................ 71
Figure 5-5: Modbus TCP Architecture .......................................................................................... 72
Figure 5-6: Secure Modbus Application Data Unit ....................................................................... 78
Figure 5-7: Modbus Secure Gateway ............................................................................................ 79
Figure 5-8: Secure Modbus Module .............................................................................................. 81
Figure 5-9: SCADA Test bed Developed To Verify Secure Modbus Protocol ............................. 82
Figure 5-10: High Level Secure Survivable Architecture.............................................................. 85
Figure 5-11: Filtering Unit Prototype ............................................................................................ 86
xv
LIST OF ABBREVIATIONS
SCADA: Supervisory control and data acquisition
MTU: Master Terminal Unit
RTU: Remote Terminal Unit
DNP3: Distributed network protocol
SSL: Secure Socket Layer
TLS: Transport Layer Security
PLC: Programmable Logic Controller
IED: Intelligent Electronic Device
LAN: Local Area Network
PSTN: Public Switched Telephone Network
DHS: Department of Homeland Security
CSSP: Control Systems Security Program
NCSD: National Cyber Security Division
INEEL: Idaho National Engineering and Environmental Laboratory
NERC: North American Electric Reliability Council
CIP: Critical Infrastructure Protection
NIST: National Institute of Standards and Technology
PCSRF: Process Control Security Requirements Forum
PCSF: Process control system forum
IDS: Intrusion Detection Systems
DNS: Domain Name Service
FERC: Federal Energy Regulatory Commission
xvi
DRP: Disaster Recovery Plan
DoS: Denial of Service
IEC: International Electro technical Commission
EPA: Enhanced Performance Architecture
CRC: Cyclic Redundancy Check
ICV: Integrity Check Value
HMAC: Hash-based Message Authentication Code
ASCII: American Standard Code for Information Interchange
PDU: Protocol Data Unit
MBAP: Modbus application protocol
NTP: Network Time Protocol
YASIR: Yet Another SecurIty Retrofit
BITW: Bump In The Wire
DMZ: Demilitarized Zones
1
Chapter 1
INTRODUCTION
Presently the electric industry consists of a more centralized, producer- controlled network. The
transformation of this network to a more decentralized and consumer interactive network is the
Smart grid [1]. The need for smart grid has surfaced because the demand for power has been
increasing constantly. With the introduction of the smart grid, consumers will be empowered to
manage their energy usage in a more efficient and economical way. Smart grid will also allow
increase in the productivity and efficiency of how the power in delivered as well as improving
power reliability [1].
In addition to this, smart grid technology allows us to overcome the challenges such as increasing
power demand, aging utility infrastructure, and environmental impact of greenhouse gases
produced during electric generation. With the deployment of smart grid, power can be used in a
more effective manner and also the carbon content in the environment can be reduced drastically.
Another advantage is reduction in the investment in primary equipment. Thus the main focus is to
make the grid more automated in order to provide the above functionalities. Figure 1-1 is a
conceptual architecture of the smart grid. Components named as generators, central power plant,
isolated microgrid in the figure are all connected through a Supervisory control and data
acquisition(SCADA) architecture [1].
2
Figure 1-1 : Conceptual Smart Grid Architecture [30]
1.1 Introduction To SCADA
In addition to being used in electrical power system, SCADA is also used in other critical
infrastructures such as oil and gas refining systems, water supply, transportation. Critical
infrastructures that do not necessarily use the SCADA system we are discussing here include
telecommunications, banking and finance, emergency services etc. Clearly, critical infrastructure
is one of the most important factors supporting a nation's life. The figure 1-2 gives a high level
view of Smart grid and shows where the SCADA system lies in it. The enterprise, control center,
field area network and substation are all part of the SCADA architecture [1].
3
Figure 1-2: SCADA As An Integral Component Of Smart Grid [29]
SCADA systems are widely deployed in Critical Infrastructure industries where they provide
remote supervisory and control. SCADA consists of automated processes developed to assist in
the management and control of the electrical power grid. SCADA consists of complex
interconnected control, which adds challenges to deliver secure and reliable service. The basic
function of a SCADA system is to monitor and control equipments that are responsible for
delivering power. Extended functionality of SCADA is fault detection, equipment isolation and
restoration, load and energy management, automated meter reading, and substation control. The
SCADA systems used today by the utilities were developed and deployed many years ago. At that
time there was no internet, public or private network. Hence, the only security threat was physical
destruction of the systems. With the introduction of equipment automation and deregulation,
SCADA systems needed to have some kind of interconnected network. The need for the remote
connections to these control devices exposed the network to a completely new set of
vulnerabilities [2].
4
1.2 SCADA System Components And Functions
SCADA is a congregation of independent systems that measure and report in real time both local
and geographically remote distributed processes. It is a combination of telemetry and data
acquisition that enables a user to send commands to distant facilities and collect data from them.
Telemetry is a technique used in transmitting and receiving data over a medium. Data acquisition
is a method of collecting the data from the equipment being controlled and monitored. The layout
and functions of the SCADA system is discussed in this section [3].
Figure 1-3: SCADA System Components [4]
As shown in the figure 1-3, the fundamental components of the SCADA control system are the
master terminal unit, communication network and the remote terminal units. The supervisory
control and monitoring station, also called as the master terminal unit (MTU) consists of
5
engineering workstation, human machine interface, application servers, and communications
router. The master terminal unit issues commands to distant facilities, gathers data from them,
interacts with other systems in the corporate intranet for administrative purposes, and interfaces
with human operators. The master terminal unit has full control on the distributed remote
processes. Commands sent from the MTU to distant facilities can be done either manually using a
human machine interface or by automation [4].
A human machine interface program runs on the master terminal unit computer. This basically
consists of a diagram which mimics the whole plant, making it easier to identify with the real
system. Every input/output point of the remote systems can be represented graphically with the
current configuration parameters being displayed. Configuration parameters such as trip values
and limits can be entered onto this interface. This information will be communicated through the
network and downloaded onto the operating systems of the corresponding remote locations which
would update all the values. A separate window with a list of alarms set up in the remote station
network can also be displayed. The window displays the alarm tag name, description, value, trip
point value, time, date and other important information. Trend graphs can also be displayed.
These graphs show the behavior of a certain unit by logging values periodically and displaying it
in a graph. If any abnormal behavior of the unit is seen then the appropriate actions can be taken
at the right time [4].
The remote sites in figure 1-3 are known as field sites. The field site basically consists of so
called field instrumentation, which are devices that are connected to the equipment or machines
being controlled and monitored by the SCADA system. The devices include sensors to monitor
certain parameters and actuators for controlling certain modules of the system. Other devices in
the field sites are controllers, pulse generators etc [4].
6
These devices convert physical parameters to electrical signals which are readable by the remote
station equipment. The outputs can be read in either analog or digital form. Generally voltage
outputs have fixed levels like 0 to 5V, 0 to 10V etc. Voltage levels are transmitted when sensors
are located close to the controllers and current levels are transmitted when they are located far
from the controllers. Digital reading can be used to check if the system has been enabled or
disabled i.e. in operation or out of operation. Actuators help in sending out commands to the
equipment, i.e. turn on and off the equipment [4].
The field instrumentation we just described is interfaced with a controller called remote terminal
unit (RTU) or programmable logic controller (PLC). Both of them basically consist of a computer
controller which can be used for process manipulation at the remote site. They are interfaced
with the communication system connected to the master terminal unit (MTU). The PLC has very
good programmability features while RTUs have better interfaces to the communication lines.
The advancement in this area is the merging of PLC and RTU to exploit both the features. Hence
the overall function of this architecture is that the MTU communicates with one or more remote
RTUs by sending requests for information that those RTUs gather from devices, or instructions to
take an action such as open and close valves, turn switches on and off, etc [4].
An intelligent electronic device (IED) is a protective relay and communicates with the remote
terminal unit. A number of IEDs can be connected to the RTU. They are all polled and data is
collected. IEDs also have a direct interface to control and monitor sensory equipment. IEDs have
local programming that’s allows it to act without commands from the control center. This makes
the RTU more automated and even the amount of communication with the MTU is reduced [4].
Communication medium used between MTU and RTU vary from wired networks such as public
switched telephone network to using wireless or radio networks. The MTU and the administrative
systems are connected in a LAN (Local Area Network). In the communication medium between
7
MTU and RTU, the most commonly used protocols are distributed network protocol (DNP3) and
Modbus. DNP3 is an open standard and a relatively new protocol. The older systems use the
Modbus protocol. DNP3 and Modbus have been adopted by a number of vendors which support
the SCADA system. Both the DNP3 and Modbus protocols have been extended to be carried over
TCP/IP. Also connected to the control system discussed above, is an enterprise network. This
connectivity provides decision makers with access to real time information and allowing
engineers to monitor and control the control system [4].
The above architecture has number of vulnerabilities. The MTU and RTUs are connected via
internet, public switched telephone network (PSTN), cable or wireless. The most common
security issue in all the above communication networks is eavesdropping. Wireless and internet
are prone to replay attacks, denial of service attacks etc. Outside vendors, consumers, and
business partners can carry out attacks on this architecture since they are connected to the
enterprise network through internet connection shown in figure 1-3. Hence, these entities have
indirect access to the MTU since the enterprise network is connected to the control system.
Remote stations have communication interface which allows field operators to communicate via
wireless protocol or remote modem to perform maintenance operations. These operations are
done using handheld devices. When an unauthorized person gets access to this handheld device,
they could cause harm to the system. There are several more security issues in this architecture
and will be covered in this project [4].
1.3 Literature Review
In this section, we discuss work done on SCADA systems by other organizations and various
ways in which they are looking at security issues.
Critical infrastructure protection is of prime importance since it directly affects the citizens.
Department of Homeland Security (DHS) is responsible for infrastructure protection [5]. Two
8
security programs, Control Systems Security Program (CSSP) of the National Cyber Security
Division (NCSD) were formed by the DHS. Their main task was identifying, analyzing, and
reducing cyber risks in control systems.
The Idaho National Engineering and Environmental Laboratory (INEEL) along with Sandia
National laboratory have created a SCADA test bed. The test bed consists of functional power
grid and wireless test bed. The test bed is used to validate all the developed protocols before
deploying into the real environment. The center for SCADA security has been formed in Sandia
National Laboratory where research, training, red teams, and standards development takes place.
Researchers at Sandia recently developed and published a SCADA Security Policy Framework
[6] which ensures all critical topics have been adequately addressed by specific policy.
Standard bodies such as NIST (National Institute for Standards and Technology), and NERC
(North American Electric Reliability Council) also work in addressing the control system
security. NERC has finalized cyber security standards [7] that will establish the requirements for
security management programs, electronic and physical protection, incident reporting, and
recovery plans, and the National Institute of Standards and Technology (NIST) through its
Process Control Security Requirements Forum (PCSRF) has defined a set of common security
requirements for existing and new control systems for various industries [8] [9].
Process control system forum (PCSF) founded in February 2005 has a mission to accelerate the
design, development, and deployment of more secure control and legacy systems that are crucial
to securing critical infrastructures. Many more organizations carry out lot of research work on
security SCADA systems. This project covers present and potential security issues in the SCADA
system. It also discusses few countermeasures which have been verified on the test bed developed
by the some of the above organizations [5].
9
1.4 Conclusion
SCADA architecture facilitates the smart grid to meet its goals in a number of ways. For instance,
suppose the power requirements of industrial area is at its peak during the daytime and not so
much during the night time. In this case the utility can communicate to the SCADA network in
the power generation units to reduce the amount of power generated during down times. This
results in better utilization of power, reduction of the greenhouse effects and the carbon content in
the environment. Because hackers and disgruntled employees can also send such a signal to the
SCADA network, potentially causing instabilities in the power grid or send false signals, it is
important to research on the security issues in SCADA architecture so that it can be corrected.
The core of this project is to understand the SCADA architecture and find the current and
potential security vulnerabilities. The project also covers the counter measure techniques that can
be applied to combat these security issues. Research issues that still need to be explored are also
discussed in this project. Chapter 2 describes the requirements in a SCADA system and the
threats to SCADA system. Chapter 3 discusses about the master terminal unit and remote
terminal unit security issues and countermeasures. Chapter 4 and 5 discuss security issues and
countermeasures for DNP3 and Modbus communication protocols. Chapter 6 discusses the
research issues that still need more work on in order to provide good security. Chapter 7 gives the
conclusion, strengths, weaknesses and future work.
10
Chapter 2
SCADA SYSTEM REQUIREMENTS AND THREATS
This chapter discusses the various requirements of a SCADA system that need to be satisfied
while developing security solutions. The threats faced by the SCADA system are also listed in
this chapter.
2.1 Requirements In A SCADA System
In order to find the security concerns in the present SCADA system and also develop security
measures it is important to learn about the requirements in a SCADA system [10]. The following
is a list of considerations when looking into the security of SCADA system
1. Some sections in the SCADA network are time critical systems. They can have an
acceptable amount of delay and jitter but if they are not met it might hamper the
operation of the network. Also few sections in the architecture need deterministic inputs.
An example of deterministic system is digital systems which can have input values of
only 0 or 1 i.e. turn on or off the system. These performance requirements are highly
important for the normal operation of the network [10].
2. The availability SCADA system is extremely important. They should be available in a
timely manner so that it doesn’t hamper the processes which are continuous in nature.
Unexpected outages of these systems are not acceptable in the industrial control system.
Reason being it will cause a chain reaction and disturb a whole set of operating processes
and can bring down the system. In order to make sure that such an incident doesn’t occur,
it is important to carry out the pre-deployment testing essential to ensure high availability
of the system. When unexpected outages occur, many control systems cannot be easily
stopped and started without affecting production. In some cases, the products being
11
produced or equipment being used is more important than the information being relayed.
Therefore, strategies like rebooting the system would not be acceptable in few situations
because it may adversely affect the requirements of high availability, reliability and
maintainability of the SCADA system. One way to solve this is to have redundant
components installed and running in parallel, so that it will provide continuity when some
of the primary components are unavailable. Another advantage of this strategy is that
updating and maintaining the primary system can also be carried out since redundant
system can take over their functionalities for a period of time [10].
3. One of the most important requirements in any industrial system is managing risk.
Human or personnel safety is of primary importance. Safety and fault tolerance would be
essential to prevent loss of life, endangerment of public health or confidence, loss of
equipment, loss of intellectual property, damage of products. Complying with regulatory
terms and conditions would help to satisfy the above concerns to a great extent. Also the
personnel who operate and maintain the SCADA system must understand the link
between safety and security. The personnel need to understand when security can be
compromised in order to provide safety [10].
4. In some architectures such as IT system it is important to protect the information whether
it is stored centrally or distributed. But in a SCADA system information that is stored and
processed centrally is more critical and needs more protection. For example information
stored in remote devices such as PLC, RTU are also important since they are directly
responsible for controlling the end processes. At the same time it is also equally
important to secure a SCADA system’s central server because if it were compromised, it
would affect the edge devices also [10].
12
5. if it were compromised, it would affect the edge devices also.SCADA system comprises
of many complex interactions and these translate into physical events. Consequently, all
security functions integrated into the SCADA must be tested (e.g., off-line on a
comparable SCADA) to prove that they do not compromise normal SCADA functionality
[10].
6. Time critical responses on a SCADA system should be handled carefully. Requirement of
password authentication on the human machine interface might interfere with the actions
needed to be taken, for instance, during emergencies. At the same time information flow
must not be interrupted or compromised. Because of that access to these systems should
mainly be restricted by physical security controls [10].
7. There are a lot of resource constraints in SCADA systems. Real time operating systems
are often constrained systems. This results in difficulty to add lots of security features
into the system i.e. they have limited computational and memory resources. Since
retrofitting the new security capabilities will eat away the resources and might slow down
the systems thereby not satisfying the requirement of time criticality. Another concern is
that third party security solutions when introduced into the SCADA architecture might
clash with the vendor license agreement and hence result in loss of support for that
equipment from that vendor [10].
8. Maintaining the integrity of the SCADA system is of paramount importance. For e.g.
unpatched software represents one of the greatest vulnerabilities to a system. Because of
the nature of SCADA system, it is very hard to update the software regularly. There are a
number of steps that need to be carried before the update can be done on the system.
Thorough testing of updates needs to be done in an environment which can emulate the
industrial process system. Backup systems can be configured so that it can replace the
13
primary systems during these updates. Revalidation of the updates must be carried out
before deploying it into the network. Sometimes there might be a case where the
operating system might no longer be supported by the vendor; hence patches may not be
useful for such systems. These updates on systems are also applicable to firmware and
hardware. This is one of the examples where integrity of the system might be
compromised. Hence this change in the management of the system must be thoroughly
assessed by engineers who have expertise in those areas before applied [10].
9. The lifetime of the components used in SCADA is often in the order of 15-20 years. Also
the technology used here has been developed for very specific use. Hence when adding
security features care should be taken to ensure they remain effective and are available
over the entire lifetime of operation of the components [10].
2.2 Threats To SCADA Network
There are a number of threats to the SCADA network that can be classified into the following
categories [10].
Attackers: Attackers break into the network not to cause intentional harm but to explore
their hacking capabilities. There are attack scripts available on the internet for free and
can be used to attack the network. Hence even if the attacker does not have significant
amount of knowledge or skill, their actions can cause relative harm to the network. This
will not be harmful to the network if one person or few persons do it. However harm is
more likely when a large number of people are involved in hacking it. Also attacks tools
are readily available and have become so easy to use they pose a significant amount
threat to the SCADA network. It can cause brief disruption in the normal operation and
result in serious damage [10].
14
Criminal Groups: The main motive of these threat groups is to attain monetary gain by
attacking the system. They can setup attack scenarios which can take over multiple
systems to coordinate attacks and distribute phishing schemes, spam and malware on
them. This can be used to cause identity theft and online fraud. There are a number of
organizations formed which consists of trained attackers in order to conduct industrial
espionage resulting in large scale monetary theft [10].
Foreign intelligence services: The main motive of these organizations to collect secret
information. They can use various cyber tools in order to carry out their spying activities
and hence gather information. Several nations are developing information warfare
doctrines, programs and capabilities. These capabilities can have a serious impact by
disrupting communication and causing economic harm to the nation which is being
attacked [10].
Insiders: Insiders are people who work in the SCADA environment and can cause harm.
Insiders can be employees, vendors or contractors, a principal source of computer crime.
Even though they might not have in depth knowledge of the system, they have
unrestricted access to the system which allows them to steal data and hence cause
damage. Another way in which harm can be caused is when certain system maintenance
is outsourced to a third party vendor and people from that company have access to these
systems. If their understanding about the system is incomplete they can introduce
malware into the system accidently. Impacts can range from trivial to very severe damage
[10].
Phishers, Spammers, Spyware/malware authors: Phishers try to steal the identities or
information which can be used to cause harm to the network. Spammers are people who
distribute unsolicited email with hidden malicious code or false information. Viruses and
15
worms which are spread in the network and cause harm to files and hard drives can result
in very serious impact [10].
Terrorist Groups: These groups can cause harm to such large extent that it can result in
disrupting the daily life of people. They seek to destroy, incapacitate, or exploit the
network in order to threaten the national security, cause deaths, weaken the economy, and
to damage public morale and confidence. They use strategies such as causing harm on
one system so that attention can be diverted and then cause harm on other systems which
are not concentrated on during that time [10].
16
Chapter 3
MASTER TERMINAL UNIT AND REMOTE TERMINAL UNIT VULNERABILITIES AND
COUNTERMEASURES
3.1 Introduction
SCADA system works with the corporate environment though it was originally designed to
operate as an individual unit. The core intention of the control system design is efficiency and
security. Another commonly observed activity with SCADA providers is the remote accesses to
perform routine maintenance jobs. Communication protocols of the SCADA are designed with
minimal security features. These above mentioned design and behavioral patterns are reasons for
the security weakness of the SCADA system. These vulnerabilities in a critical infrastructure
make it very susceptive to cyber attacks. Adversaries would be able to identify these
vulnerabilities and execute attacks. The effects of those attacks and their consequences are
discussed further below [10].
Physical impacts: Physical impacts consist of direct consequences of SCADA
disoperation. The potential effects of paramount importance include personal
injury or loss of life. Other effects include the loss of property (including data)
or damage to the environment.
Economics impacts: Economics impacts follow a physical impact from a cyber
intrusion. The ripple effect of physical impact could in turn cause a severe
economic loss on the facility or companies. Bigger impact of this would be
negative effect on the local, national or even the global economy.
17
Social impact: The consequence of physical and economic damage would be
loss of public confidence and national confidence in the organization. This is
generally overlooked, however it’s a very real target and one that can be
accomplished through cyber attacks. Social impacts may possibly lead to
heavily depressed public confidence or the rise of popular extremism.
Because of the prevalent security threats and the corresponding magnitude of the consequence,
various organizations are carrying out study and research to combat attacks on the SCADA. The
intention is also to make a more secure SCADA system for future. In the following sections, the
master terminal unit and remote terminal unit platform vulnerabilities will be discussed.
Additionally, how these loop holes are being introduced and the effects on exploiting them are
covered here.
3.2 Vulnerabilities In The SCADA System
Figure 3-1 shows the security vulnerabilities pattern from 1995 to first half of 2003. The
exponential increase in vulnerabilities is due to the increased accessibility of the SCADA system
to the outside world [4].
18
Figure 3-1: Security Vulnerabilities Pattern [4]
Source: GAO analysis based on Carnegie-Mellon University’s CERT Coordination Center data
A general misconception about the SCADA system is ―The SCADA system resides on a
physically separate, standalone network.” [11] Historically, most of the SCADA systems were
built before the other components of the network and it was separate from the rest of the network
as well, this has lead the IT managers to believe that these systems cannot be accessed from
corporate network or from the remote access point. Unfortunately, this belief is usually fallacious.
In reality the scenario is quite different, the SCADA network and the corporate networks are
more often bridged (Figure 1-3) due to recent changes in the information management practices.
The two changes that play key role are discussed in detail below
The first change is the growing demand for remote access computing which has
encouraged many utilities to establish connections to the SCADA system that
enables the SCADA engineers to remotely monitor and control the system from
points on the corporate network [11].
19
The second main reason is information access to assist corporate decision. Many
utilities have allowed corporate connections to the SCADA systems, as it would
make instant access to critical information and operational status easier for the
higher management and corporate decision making processes [11].
The second false belief that is at large about the SCADA system is ―Connection between SCADA
systems and other corporate networks are protected by strong access control.” [11] Many of the
interconnections between corporate networks and SCADA systems require the integration of
systems with different communications standards. This results in an infrastructure that is
engineered to move data successfully between two unique systems. Complexity arising from
integrating disparate systems overshadows the need to address the security risks that accompany
such network arrangements. As a result, access controls designed to protect SCADA systems
from unauthorized access through corporate networks are usually minimal, which is mainly due
the fact that the network managers often overlook key access points connecting these networks.
Strategic use of internal firewalls and intrusion detection systems (IDS), coupled with strong
password protection, is highly recommended [11].
The third misconception is ―SCADA systems require specialized knowledge, making it difficult for
the network intruders to access and control the SCADA system.‖ [11] The reason behind this
misconception is an assumption that the intruders need to possess in-depth knowledge about the
SCADA design and implementation. These assumptions are inappropriate in the current utility
environment which is highly interconnected and vulnerable to cyber attacks. The figure 3-2 below
shows the highly interconnected SCADA network.
20
Figure 3-2 : Interconnected SCADA Network [33]
Utility companies being the one of the key components of the nation’s critical infrastructure is a
hot target for cyber terrorists as opposed to disorganized hackers. These attackers are highly
motivated, well-funded and may very well have ―insider‖ knowledge about the system. Further, a
well equipped attacker with a sole intention to disrupt of operation of the SCADA will gain a
detailed understanding of the SCADA and its vulnerabilities by any means.
The following sections list the various vulnerabilities of the SCADA system. Some of the listed
ones are which are already present in the SCADA system while some are potential vulnerabilities.
The table 3-1 lists all the vulnerabilities and show if they are already present in the system or are
potential vulnerabilities.
21
Vulnerability Potential/ Currently present in
SCADA system
Public Information Availability Present Vulnerability
Policy and Procedure vulnerabilities Potential Vulnerability
Platform Configuration vulnerabilities Potential Vulnerability
Table 3-1: List Of Potential And Present Vulnerabilities In MTU And RTUs
3.2.1 Public Information Availability
Often, too much information about a utility company corporate network is easily available
through routine public queries. This information can be used to initiate a more focused attack
against the network [11]. Examples of this vulnerability are listed below:
Websites often provide data useful to network intruders about company structure, employee
names, e-mail addresses, and even corporate network system names
Domain name service (DNS) servers permit ―zone transfers‖ providing IP addresses, server
names, and e-mail information
The availability of this infrastructure and vulnerability data was demonstrated earlier this year by
a George Mason University graduate student, whose dissertation reportedly mapped every
business and industrial sector in the American economy to the fiber optic network that connects
them—using material that was available publicly on the Internet, none of which was classified
[4]. Many of the electric utility officials who were interviewed for the National Security
Telecommunications Advisory Committee’s Information Assurance Task Force’s Electric Power
22
Risk Assessment expressed concern over the amount of information about their infrastructure that
is readily available to the public.
In the electric power industry, open sources of information—such as product data and educational
videotapes from engineering associations— can be used to understand SCADA of the electrical
grid. Other publicly available information—including filings of the Federal Energy Regulatory
Commission (FERC), industry publications, maps, and material available on the Internet—is
sufficient to allow someone to identify the most heavily loaded transmission lines and the most
critical substations in the power grid [11].
In addition, significant information on control systems is publicly available—including design
and maintenance documents, technical standards for the interconnection of control systems and
RTUs, and standards for communication among control devices—all of which could assist
hackers in understanding the systems and how to attack them. Moreover, there are numerous
former employees, vendors, support contractors, and other end users of the same equipment
worldwide with inside knowledge of the operation of control systems [11].
3.2.2 Policy And Procedure Vulnerabilities
Some of the potential vulnerabilities in the SCADA system as discussed by NIST (National
Institute of Standards and Technology) in one of its papers presented on ―Guide to Industrial
Control Systems Securities‖ have been listed below [10]
1. Inadequate security policy for the SCADA: Vulnerabilities are often introduced into
SCADA due to inadequate policies or the lack of policies specifically for control system
security [10].
23
2. No specific or documented security procedures were developed from the security policy
for the SCADA: Specific security procedures should be developed and employees trained
for the SCADA. They are the roots of a sound security program [10].
3. Absent or deficient SCADA equipment implementation guidelines: Equipment
implementation guidelines should be kept up to date and readily available. These
guidelines are an integral part of security procedures in the event of an SCADA
malfunction [10].
4. Lack of administrative mechanisms for security enforcement: Staff responsible for
enforcing security should be held accountable for administering documented security
policies and procedures [10].
5. No formal SCADA security training and awareness program: A documented formal
security training and awareness program is designed to keep staff up to date on
organizational security policies and procedures as well as industry cyber security
standards and recommended practices. Without training on specific SCADA policies and
procedures, staff cannot be expected to maintain a secure SCADA environment [10].
6. Inadequate security architecture and design: Control engineers have historically had
minimal training in security and until relatively recently vendors have not included
security features in their products [10].
24
7. Few or no security audits on the SCADA: Independent security audits should review and
examine a system’s records and activities to determine the adequacy of system controls
and ensure compliance with established SCADA security policy and procedures. Audits
should also be used to detect breaches in SCADA security services and recommend
changes, which may include making existing security controls more robust and/or adding
new security controls [10].
8. No SCADA specific continuity of operations or disaster recovery plan (DRP): A DRP
should be prepared, tested and available in the event of a major hardware or software
failure or destruction of facilities. Lack of a specific DRP for the SCADA could lead to
extended downtimes and production loss [10].
9. Lack of SCADA specific configuration change management: A process for controlling
modifications to hardware, firmware, software, and documentation should be
implemented to ensure an SCADA is protected against inadequate or improper
modifications before, during, and after system implementation. A lack of configuration
change management procedures can lead to security oversights, exposures, and risks [10].
3.2.3 Platform Vulnerabilities
3.2.3.1 Platform Configuration Vulnerabilities
Earlier SCADA hardware, software, and network protocols were proprietary and not made
publicly accessible, making it more difficult for the hackers to attack the system as they did not
have knowledge about the system. However with growing competition and drive to perform
better and reduce cost has led organizations to make a transition from proprietary systems to
25
standardized technologies such as Microsoft’s windows, UNIX operating systems and common
networking protocols used by the internet. As a consequence of using standardized solutions, we
have increased number of people with knowledge to wage attacks. The following is list of
vulnerabilities that could be potential threats to SCADA platform configuration [10].
3.2.3.1.1 Operating System Related Vulnerabilities
Since standard operating systems can be used off the shelf, it is a viable solution for the
organizations in terms of cost. However, there are numerous vulnerabilities associated with these
standard operating systems. Customized operating system is needed to meet the complexity of the
SCADA system. Developing patches to the standard operating system in order to meet SCADA
requirements might take a considerable amount of time. The period, during which the patch
development is taking place, the SCADA system with just the standard OS is prone to attacks.
These patches must go through exhaustive testing before they are deployed in the system, else
they will compromise the normal operation of the SCADA. Critical configurations are not stored
or backed up. Therefore in case of an emergency or outages these systems cannot be restored with
same secured configurations [10].
3.2.3.1.2 Password Related Vulnerabilities
The common password vulnerabilities (some might not apply to SCADA) are lack of adequate
password policy, password disclosure, password guessing. Password policies define when
passwords need to be used, how strong they must be and how they must be maintained. Password
disclosure relates to passwords being kept confidential. Password guessing relates to the
vulnerabilities introduced into the system when poorly chosen passwords are used.
Some of the above might be potential vulnerabilities in the SCADA system. For e.g. if systems do
not have appropriate passwords then they could provide unauthorized access to the system.
26
Therefore a password policy is required. Some of the potential vulnerabilities in SCADA system
with respect to password disclosure are usage of unencrypted passwords and sharing passwords.
The policy should make sure that the passwords maintain their confidentiality [10].
Potential vulnerabilities can also be introduced into the system when passwords are poorly
chosen, usage of default password, and passwords that are not changed over a period of time.
Passwords must be implemented on all SCADA components but at the same time should ensure
that password authentication does not hamper emergency actions [10].
Some of the methods to combat these issues are with the usage of biometrics which will
authenticate the personnel with retinal scanning, finger print scanning, voice recognition etc. If all
these critical systems were kept in a particular secure enclosure installed with equipped with
cameras and video surveillance could track all the activities [10].
3.2.3.1.3 Access Control Related Vulnerabilities
Inadequately specified access control would result in SCADA user having too many or too few
privileges. The following exemplify each case: Consider a system that is configured to default
access control settings, this gives any operator the system administrative privileges. Second
scenario would be a system, which is improperly configured, could leave an operator with not
enough access rights to take corrective actions under emergencies [10].
3.2.3.2 Platform Software Vulnerabilities
3.2.3.2.1 Denial Of Service
Cyber-attacks that are based on denial of service (DoS) mechanisms, and others that spread due to
viruses and worms by causing a traffic avalanche in short durations, can potentially bring down
systems and cause a disruption of services and are known as Flood-based Cyber Attack Types.
27
There is no well-known, fool-proof, defense against such cyber attacks in the computing
literature. Various effective ad- hoc solutions have been adopted on traditional computer
networks. If the access links that connect the SCADA network to the Internet are swamped by
heavy traffic caused by such attacks, it could prove disastrous as the control and supervisory data
(including alarms, IED data) flowing to the SCADA network could be lost in the network. The
gateway or firewalls installed to monitor the incoming traffic could be overloaded by the large
volumes of attack traffic. Thus the ability of the SCADA network to respond to actual failures
can be significantly affected. Also, the traffic flood could contain malicious messages that could
confuse the SCADA systems to a great extent [13].
3.2.3.2.2 Malware Protection Definitions Not Current And Implemented Without Exhausting
Testing
The presence of malicious software can result in system performance degradation, loss of vital
data and system dysfunctional behaviors [10]. The above issues can be avoided by the installation
of anti malware. But when this anti virus software is outdated or not thoroughly tested then same
software would cause more damage than protect the system. The reason is that the same
vulnerabilities are again present in the system but at the same time gives the operator a false sense
of security and therefore keeping him unaware of the problem. The SCADA operator will reside
under the confidence that anti virus is operational and is protecting the system.
3.3 Countermeasures For MTU And RTU Security Issues
As discussed in the previous section (specify section), the security issues in the master terminal
unit and remote stations lie mostly within the platform and policy. In this chapter we discuss
various ways to overcome these security issues.
28
3.3.1 Counter measures For Policy And Procedure Vulnerabilities
Figure 3-3 is used to implement the security policies and procedure. The structure encompasses
all the security features that need to be covered in a security policy [12].
Figure 3-3: Basic Functions Of SCADA Security Policy [12]
Each block in the above chart and their functionality is described below. Detail documented list
of the overall security architecture of a system is in a security plan. Some areas covered in the
security plan are policies and procedures for operational security, user and data authentication,
backup policies etc. The implementation guide details on how the above security plans needs to
be implemented, where are all the relevant areas in the entire architecture, where it needs to be
implemented etc. Configuration management will include all the configuration details listed for
every equipment and all the relevant security policies that apply to them. Enforcement and
auditing makes sure that security policies, plan and implementation for each of the equipment is
done correctly and also maintained correctly [12].
3.3.2 Regular Vulnerability Assessments
29
All the SCADA equipment has to be regularly assessed to check and see if there is an abnormal
operations taking place. These assessments must be done in a regular basis and should be
recurring. Along with the operational units, the other components of SCADA like the corporate
network, data base servers, local desktop computers used for customer management should be
assessed so that any unseen security gaps in this system can be overcome and increase protection
[13].
3.3.3 Expert Information Security Architecture Design
There are best practices that can be used to overcome most the security issues in the network.
Also a number of new technologies have been developed to combat vulnerabilities such as
malware attacks, unauthorized access to system. When these are installed into the system the
configuration should be such that there are no gaps. If they are not configured correctly then it
would not help to solve the issue. If the solution selected is not relevant to the security issue that
needs to be solved then it would be a waste in investment. In order to minimize these risks the
utility companies much hire security experts who can understand the architecture of the network
and propose solutions that exactly overcome the loop hole and does not introduce newer security
issues [13].
3.3.4 Implement The Security Features Provided By Device And System Vendors
Older SCADA networks did not have many security features to protect the system. The utility
companies which own the SCADA networks must ask the vendor to provide security patches to
the existing and system and also produce newer system with enhanced security features. Also
factory default security features should not be used because their intent is to provide excellent
usability and provide the minimum amount of security. When the default settings are being
30
changed and are not set to its maximum security limits, a thorough risk assessment must be done
before those levels are fixed [13].
3.3.5 Establish Strong Controls Over Any Medium That Is Used As A Backdoor Into The
SCADA Network
Strong authentication must be implemented to ensure secure communications where backdoors
vendor connections exist in SCADA system. Modems, wireless and wired networks used for
communications and maintenance represent a significant vulnerability to the SCADA network
and remote sites. Sending false packets from the enterprise network can attack SCADA system
if the SCADA system does not authenticate the packet. It needs to check if the packet is from a
authenticate source and only then process the packet [13]. Authentication methods such as
challenge response, hashing algorithms and digital signatures can be used. The various
authentication methods for communication protocols are discussed in chapter 4 and 5.
3.3.6 Implement Internal And External Intrusion Detection Systems And Establish 24-hour-a-day
Incident Monitoring
When abnormal sequence of events takes place on the SCADA network there must be some way
to inform the network administrators about this activity. This can be done by using intrusion
detection mechanisms where 24 hours tracing of events on the network is recorded. When a
security incident takes place either from internal or external sources then there should be
techniques and procedures to immediately overcome them based on the level of damage it can
cause. To complement network monitoring, enable logging on all systems and audit system logs
daily to detect suspicious activity as soon as possible [11].
31
3.3.7 Conduct Physical Security Surveys And Assess All Remote Sites Connected To The
SCADA Network
Automated systems in the SCADA network are most susceptible to attacks since they are
unmanned and unguarded. An inventory of all access points and carrying out physical security
checks regularly will help to keep a check on any new security issues. Identify and assess any
source of information including remote telephone/computer network/ fiber optic cables that could
be tapped; radio and microwave links that are exploitable; computer terminals that could be
accessed; and wireless local area network access points. Eliminate any points of failure. Prevent
unauthorized access to the websites within the enterprise intranet since they provide access to the
SCADA system [13].
3.3.8 Firewalls And Intrusion Detection System
Threats to SCADA network can come from malicious attackers via the internet and hence it is
important to monitor the traffic that flows into it. It is important that firewalls and other Intrusion
Detection Systems (IDS) (figure 3-4) be installed at the various ingress points (gateways) of the
SCADA network to identify malicious traffic before it is allowed to enter [14] [15]. This will
filter out some of the attacks but not all. Hence more rigorous scheme needs to be implemented to
overcome the attacks that still manage to flow through. Viruses and worms could swamp the
systems with huge volumes of attack traffic. Just having only firewalls and IDS at entry points
may not suffice. This leads to the concept of the electronic perimeter.
32
Figure 3-4: Firewall And Intrusion Detection System Implementation Between Enterprise And
SCADA Control System [15]
3.3.9 Electronic Perimeter
Traffic flowing from outside sources reaches the gateway where a firewall restricts malicious
packets and allows the rest to flow through. The traffic that flows through might still have some
malicious packets which could harm the system. Beyond this gateway there is not much filtering
that takes place and hence it is important to define and electronic perimeter (figure 3-5) broader
so that it filtering takes place once before data reaches the gateway [14]. This perimeter can be
formed by multiple intrusion detection systems installed on a wider area. Huge volumes of traffic
can be handled by an extended perimeter as it would be possible to stop the attacks further away
from the SCADA network. This provides a number of advantages of providing an overlay
33
network in a more distributed and collaborative fashion. It also provides a barrier that always only
legal traffic through.
Figure 3-5: Electronic Perimeter Implementation In SCADA System [31]
3.3.10 Domain-Specific IDS
The above-mentioned methods i.e. intrusion detection systems installation and electronic
perimeter make a baseline protection to provide normal system behavior. In addition, a
perspective on an intrusion can be developed by analyzing emerging characteristics. SCADA data
can be analyzed in order to look for such patterns. To identify these patterns it is important to
have some basic knowledge which is domain specific and also associated with communication
devices to construct an IDS attacks signature database. It would require intense analysis of the
interconnected grid in order to identify the attack patterns and study them and then generate
34
signatures. However, once this is achieved, the observed behavior needs to be correlated to detect
potential intrusions and filter the attack traffic [14]. Hence IDS with these signatures and the
secure electronic perimeter can be made to work in a synchronized manner to combat the security
issues posed by malware.
3.3.11 Creating Demilitarized Zones (DMZs)
Demilitarized Zones created using firewalls can protect the SCADA network [33]. Multiple
DMZs can be created to separate functionalities and access previleges such as peer to peer
connections, the data historian, security servers, configurations servers etc. The figure 3-6 below
shows the creation of DMZs.
Figure 3-6: Demilitarized Zones Architecture [33]
All the connections can be routed through firewalls and administrators keep a diagram of the
local area network and its connections to protected subnets, DMZs, the corporate network, and
35
the outside. Multiple demilitarized zones help from attacks such as virtual LAN hopping, trust
exploitation. Brings in a better security posture [33].
3.3.12 Low Latency And High Integrity Security Solution Using Bump In The Wire
Technology For Legacy SCADA Systems
The legacy SCADA systems, deployed without security in mind, are vulnerable to sniffing and
tampering issues today. The risk is increasing because security through obscurity is failing to
protect the system. Achieving security requires a solution, which can retrofit into the legacy
SCADA system. One such solution is ―Yet Another SecurIty Retrofit‖ (YASIR) which is a bump
in the wire (BITW) solution for retrofitting security to time-critical communications in serial-
based SCADA systems [32]. The goals are to provide high security, low latency, at comparable
cost and using standard and patent free tools.
Figure 3-7: Model For Bump In The Wire Approach [32]
In the figure 3-7, the function of device denoted as S applied on message M which results in
frame F. At the receiving end the function of device denoted as D is applied on the message
received F’. The output of the SCADA device D is a message or error. Device D takes a frame F’
as input and output an error, if F’ fails to pass certain conformance checks such as the random-
error detection, or else the corresponding original message M. Ideally, i.e. without the
36
introduction of errors in the communication link the output from SCADA device D would be D
(F’) = D (F) = D(S (M)) = M.
BITW solution adds to more modules i.e. transmitter T and receiver R. Output from the
transmitter over the insecure link would be T (F’) = F~. Receiver R modeled as a function R that
takes in a transformed frame F’~ and outputs either an error, or the corresponding original frame
F’ to be given to D. If no error was introduced into F~ then R(F’~) = R(F~) = R(T(F)) = F
because F’~ = F~. This provides data authenticity and discards messages from replay attacks.
The design of transmitter and receiver in YASIR approach is as follows. The transmitter applies
the encryption algorithm AES-CTR-128 on the frame F thereby providing confidentiality and
integrity for the message. Then a time stamp and a unique sequence number is appended to the
message for data authenticity and freshness. This solution also provides low latency by using the
AES-CTR algorithm. The transmitter relies on the stream nature of the AES-CTR. As and when
each byte of the frame F comes in, it will apply the encryption. There is an internal counter,
which keeps a count of every 4 bytes in frame F. Once whole message is received it will use the
HMAC on the cipher text and internal counter. An iterative HMAC function is used which
reduces the storage requirements and has lesser latency [32]. The steps are shown below.
1. Input frame F = s||H||P||e , s and e are special symbols indicating the start and end of
frame. H is the header and P is payload.
2. CTXT = ENCRYPT (ctrT, H||P), ENCRYPTek is AES-CTR-128, ctrT is the counter.
3. MAC = HMAC (ctrT ||CTXT), CTXT is cipher text from step 2 and HMAC is HMAC-SHA-
1-96.
4. SEQ = ctrT, SEQ is the sequence number.
37
Therefore, there is not much delay except for time needed to decode symbols and frame
boundaries. The transmitter design is as follows. The input frame is decrypted and hash is
calculated. The steps are
1. MAC’ = HMAC(ctrR||CTXT’),
2. H'||P’ = ENCRYPT(ctrR,CTXT’),
3. If MAC’ = MAC then output the frame F’ = s||H’||P’||e. and increment ctrR by 1.
4. If the calculated hash value does not match then report an error.
The figure 3-8 below describes the above steps with respect to latency. Shaded boxes indicate
values computed by the YASIR components. As shown in the figure in the receiver end the
frame structures are different for type I and type II protocols. Type I protocols are those which do
not have header information like Modbus. Type II protocols are those which have header
information [32].
Figure 3-8: (a) YASIR Transmitter (b) Communication Link (c) YASIR Receiver. [32]
38
The above solution has to be tested in a real deployment of SCADA system and development of a
cost effective FPGA is underway [32].
39
Chapter 4
DISTRIBUTED NETWORK PROTOCOL 3 VULNERABILTIES AND
COUNTERMEASURES
4.1 Introduction To SCADA Communication Network
In this chapter we now concentrate on how vulnerabilities are introduced in the SCADA
architecture from the communication perspective. The MTU and RTU use communication
medium ranging form wired medium to Wireless mediums. The protocols used for these
communications are discussed in this chapter. The protocol structures, vulnerabilities present in
the protocol and the countermeasures for each are discussed in the chapters 4, 5.
Development of SCADA architecture dates back to the 1900’s when telemetry was introduced.
Telemetry involves the transmission and collection of data obtained by real time sensing
applications. As discussed in the introduction chapter, the basic architecture of SCADA consists
of receiving the data collected in the remote stations to the central processing station. The master
computers (MTUs) provide the information such as meter readings and equipment status to
human operators in a presentable form and allow the human operators to control the field
equipments or control devices automatically. The MTU initiates almost all communication with
remote sites [16].
The master terminal units basically consisted of mainframe computers which would present the
data to the human operator and they have to make the decisions to carry out the next steps. The
older SCADA networks were built to provide reliability and operability. Hence the MTU would
send commands over a 1200 baud communication line and the function of the RTU was to only
40
execute the command and sense the new data and send it back to the MTU. The RTU units had no
local intelligence and hence just served the master [16].
With the advent of new communication technologies and communication medium the slower
communication channels in the older networks were starting to get replaced with the new
technologies. Hence getting rid of the slower communication lines and making the RTU more
intelligent increased SCADA networks overall processing power. The RTU was made more
intelligent with the introduction of the IED (intelligent electronic devices). IED’s are capable of
autonomously executing simple logic processes without involving the master computer. Hence
the RTU devices would provide a number of functionalities locally e.g. system protection (say,
from power surges), local operation capabilities, and data gathering/concentration from other
subsystems. The figure 4-1 gives an insight into the modern SCADA architecture [16]
Figure 4-1: Modern SCADA Communication Architecture [16]
41
The misconception of SCADA network managers that the SCADA system cannot be accessed via
the corporate network was proved wrong with the introduction of the modern SCADA
architecture. The figure 4-1 also shows that the field data (obtained using RTUs and IEDs) is
transmitted over a wide range of communication lines and can even be accessed via a web
browser to SCADA users. Communication between various units in the architecture use Ethernet
or the internet technology. Hence they introduced the vulnerabilities which were inherent in
desktop computers on corporate networks [16].
4.2 Some General Vulnerabilities In SCADA Network
SCADA network infrastructure has been ever growing with modifications being introduced very
often to satisfy business and operational requirements. During this time there was very little
importance given to the security gaps introduced into the network. If these gaps are not filled,
then they could result in compromising the SCADA architecture to a number of attacks. It is
important to have a network architecture design which can differentiate between or segment the
networks into corporate, internet and SCADA network. It should not be so weak that if there is
an attack on the internet part of the architecture then it would affect and hence compromise the
SCADA network [16]. Some common architectural weaknesses are introduced when
1. The configuration of the web and email servers are not done correctly and hence
unnecessarily provides internal corporate access.
2. Firewall protection, Intrusion detection system, Virtual Private Network not used when
connecting to the network of the corporate partners
3. Dial-up modem access is authorized unnecessarily and maintenance dial-ups often fail to
implement corporate dial access policies
42
When the SCADA system fails, there should be backup devices which can be used to restore the
functions of SCADA. By bringing the system back into operation system availability is not
hampered and hence preventing loss of data. There should be documentation of all these
procedures so that it would be easier to use the backup systems in case of failure of primary
systems in emergency situations [16].
There are number insecure connections in the SCADA network e.g. ports used for maintenance of
SCADA system, examination of the SCADA system, obtaining remote access to the system etc.
Since these links are unprotected with the absence of authentication or encryption it is highly
susceptible to attacks and hence results in compromise of the integrity of data transmitted [16].
4.3 SCADA Communication Protocols
The SCADA systems are built using public or proprietary communication protocols which are
used for communicating between an MTU and one or more RTUs. The SCADA protocols
provide transmission specifications to interconnect substation computers, RTUs, IEDs, and the
master station. The two most common protocols used are:
DNP3 (Distributed Network Protocol version 3.0)
Modbus
4.4 DNP3 Protocol
4.4.1 Introduction To DNP3 Protocol
DNP3 or Distributed Network Protocol Version 3.3 is a telecommunications standard that defines
communications between master stations, remote telemetry units (RTUs) and other intelligent
43
electronic devices (IEDs). It was developed to achieve interoperability among systems in the
electric utility [17].
DNP3 was created as a proprietary protocol by Harris Controls Division initially for use in the
electrical utility industry. In November 1993 the protocol was made available for use by third
parties by transferring its ownership to the DNP3 User Group. DNP3 was designed specifically
for SCADA (supervisory control and data acquisition) applications. These involve acquisition of
information and sending of control commands between physically separate computer devices. It
is designed to transmit relatively small packets of data in a reliable manner [17].
A key feature of the DNP3 protocol is that it is an open protocol standard and it is one that has
been adopted by a significant number of equipment manufacturers. The benefit of an open
standard is that it provides for interoperability between equipment from different manufacturers.
This means for example that a user can purchase system equipment such as a master station from
one manufacturer, and be able to add RTU equipment sourced from another manufacturer. The
RTU in turn may have a number of control relays connected to it which are intelligent electronic
devices and also use the DNP3 protocol. All of this equipment may be sourced from different
manufacturers, either in an initial installation, or progressively as the system is developed over
time [17].
The following list presents features of DNP3 that provide benefits to the user [17]:
Open standard
Interoperability between multi-vendor devices
A protocol that is supported by a large and increasing number of equipment
manufacturers
Layered architecture conforming to IEC enhanced performance architecture model
Optimized for reliable and efficient SCADA communications
44
Supported by comprehensive implementation testing standards
The ability to select from multiple vendors for future system expansion and modification
4.4.2 DNP3 Communication Modes
DNP3 supports three simple communication modes between a control center (master unit) and
outstation devices [18].
1. Unicast transaction, the master sends a request to an addressed outstation device. The
outstation device just responds with a reply message. E.g. the master will send a read
message or write message to perform a control operation. The remote station either
replies with the new read value or negative acknowledge for reads. For writes it’s either
an acknowledgment or negative acknowledgement [18].
2. Broadcast transaction, the master sends out a common message to all the remote stations
and does not expect a reply to this message. E.g. of this kind of message is a write
message which sets a certain limit in all the units in outstation device [18].
3. Unsolicited responses from the outstation devices are obtained on a periodic basis. These
are basically giving the status information of the outstation device. They can also be used
for alarming i.e. when a certain limit is exceeded [18].
4.4.3 DNP3 Network Configurations
The DNP3 protocol supports a number of network configurations. The figure 4-2 below shows
the most common configurations described as follows [18]
1. One-on-one configuration: Here one master and one device share a single line
connection. This is like a dedicated line between the two devices e.g. dial up telephone
line [18].
45
2. Multi-drop configuration: This is the most popular configuration where one master
connects to multiple outstations. Every outstation receives every request from the master,
but each outstation only responds to messages addressed to it [18].
3. Hierarchical configuration: A device acts as an outstation device in one segment and a
master in another segment and hence is a dual purpose device. Also called as the sub
master [18].
Figure 4-2:DNP3 Network Configurations [18]
DNP3 protocol which was based out of the OSI model these problems were overcome. DNP3
is designed to incorporate multiple protocol layers. A three-layer Enhanced Performance
Architecture (EPA) was created by eliminating superfluous layers (from the point of view of
SCADA systems) from the seven-layer OSI model [17] [18]. But there was a drawback of
this design. The application layer did not allow messages larger than the data link frame and
46
hence a new layer called as the pseudo transport layer was introduced which overcame this
issue.
Figure 4-3 :Design Progression From OSI To DNP3 [18]
The DNP3 protocol layers are stacked on top of a physical layer, which is responsible for
transmitting messages over physical media such as radio, satellite, copper and fiber. The physical
layer specification determines the electrical settings, voltage and timing, along with other
properties necessary to send signals between devices. The physical layer provides five services:
(i) send data, (ii) receive data, (iii) connect, (iv) disconnect, and (v) status update. Note that the
physical layer is shaded in because it is not specified in the DNP3 standard [18].
DNP3 in the older SCADA networks was transmitted over serial links. But in the more modern
SCADA networks use the IP system. The 3 layers of the DNP3 protocol are placed over the
TCP/IP layers in the protocol stack [18].
4.4.4 DNP3 Data Link Layer
The functionality of the data link layer is to maintain a reliable logical link between devices in
order to transfer frames in an ordered fashion [18]. Data link packet consists of two parts. A 10
byte fixed header and a data payload section. The data payload is passed down by the above two
47
layers i.e. pseudo transport layer and the application layer. The length field gives the number of
bytes in the rest of the frame other than the CRC. The maximum length of the data section
without CRC is 250 bytes (282 bytes including 16-bit CRC fields for every 16 bytes of data).
Thus, the maximum length of a data link frame is 292 bytes [18].
The data link layer frame format is as described in the figure 4-4 below.
Figure 4-4:DNP3 Protocol Data Link Layer Frame Structure [18]
The header section consists of the start bits, which is a fixed sequence to indicate the start of the
frame. This format is observed by the receiver and hence starts processing the new packet. It
consists of a two byte value 0x0564. Then it consists of the length field which gives the number
of bytes in the rest of the frame other than the CRC. The functions of the link control field are,
providing sequencing of frames, control message flow, and also helps determine the function of
the frame. The data in the link control field helps to determine if the device is master or
outstation, and who initiated the transaction, and provides the logical link between the two
devices. It also consists of a 4 bit function code which specifies the purpose of this message.
Different set of function codes are used for messages starting from the master and messages
starting from the outstation device. Examples of master function codes are reset remote link, reset
user process, request link status and test function. Outstation device function codes include
positive acknowledgement, message not accepted, status of link and no link service. The Link
Control field also contains two flags for communication synchronization and flow control. The
48
16-bit Destination Address in the data link header specifies the intended recipient (which may
include a broadcast address of 0xFFFF); the 16-bit Source Address identifies the originator. A 16-
bit CRC is also included in the header to verify the integrity of the transmission [18].
4.4.5 DNP3 Protocol Layer – Pseudo Transport Layer
The functions of the pseudo transport layer are fragmentation and reassembly. This allows the
application layer to pick frames of size larger than data link layer can handle. Hence it will break
down the application layer frames into multiple frames. In the pseudo transport layer frame
structure (Figure 4-5) there are two bytes indicating frame start and end. Each of them is one byte
long and called as FIR and FIN flags. It also adds another byte which is the sequence number of
the frame. The FIR and FIN flags indicate the first and final frames of a fragmented message,
respectively. The Sequence number, which is incremented for each successive frame, is used to
reassemble messages for processing by the application layer. The sequencing information also
facilitates the detection of dropped frames [18].
Figure 4-5:DNP3 Pseudo-Transport Message Fields [18]
4.4.6 DNP3 Protocol Layer – Application Layer
The main function of the application layer is that for each of the devices it gives an identity of it
being a master or a slave. It gives the formats for the DNP3 request and reply messages. When a
request message is sent from the master to the outstation device to carry out a particular task such
as colleting some measurements or setting the limits for few devices or synchronizing with the
49
internal clock, the outstation devices carries out that command operation and sends back a reply.
The layer also breaks down the message into smaller packets when it exceeds the maximum
fragment size which is determined by the size of the receiver’s buffer. Typical sizes of fragments
range from 2048 bytes to 4096 bytes [18].
Figure 4-6 shows the format of the application layer header. The application control field has the
same function as that in the pseudo transport layer which gives the first or last segment of a
message, sequence number for ordering and reassembly. It has the same functions because these
packets are broken into smaller packets in the pseudo transport layer. There is another field
which asks for the receipt of a reply for a particular request. The function code field gives the
information of what the purpose of the message was. This is present in both the request messages
and reply messages but the functions codes used are different since the functionalities are
different. There are a total of 23 defined function codes for request messages. They can be
classified into following categories transfer functions, control functions, freeze functions,
application control functions, configuration functions, time synchronization functions. The
categories for reply messages are confirmation, response, and unsolicited response. There are two
byte internal indicators whose functions are to specify timing synchronization, device restart,
function code not implemented or requested objects unknown. Following the header in a DNP3
application layer message are data objects that convey encoded representations of data. There are
a number of data objects defined so that they can interface with various types of systems and
communicate with different types of variables like binary input, binary output, analog input, and
analog output [18].
50
Figure 4-6:DNP3 Application Message [18]
4.5 DNP3 Protocol Vulnerabilities And Attacks
An attack on DNP3 takes place either by exploiting the specifications, vendor implementations or
weaknesses in the infrastructure using DNP3. Vendor implementations are exploited by attacking
the configurations errors in the system. Infrastructure attacks are discussed in chapter two which
exploit the loop holes in the policies and platform. Attacks on the protocol specifications are more
relevant with the communication architecture and DNP3 structure and will be discussed here.
DNP3 was not designed keeping security in mind. Rather, the focus was on bringing reliable
communication between the two end points. We will do a detailed analysis of the protocol
including where the vulnerabilities are present and how they can be attacked. It can be seen that
attacks can take place on three targets i.e. master, remote stations and communication path. Hence
the attacks can be done by intercepting, interrupting, modifying or fabricating the targets [18].
Figure 4-7 illustrates the various threat categories.
51
Figure 4-7: Threat Categories For DNP3 [18]
DNP3 messages do not implement any kind of protection measures like authorization,
authentication or encryption and hence are very vulnerable. Exploiting this loophole can mask the
remote station operations completely and also run malicious operations on them. Attacks that
exploit these vulnerabilities and affect all the 3 protocol layers are as follows.
1. The attacker captures the message. Analyzes the network topology, device functionality
and obtains the memory addresses from the packets. Hence this kind of threat can be put
into the interception of data category. It can intercept the master, remote station and
network topology data [18].
2. The attacker studies the DNP3 traffic patterns and sends illicit responses to the master.
He can also at the same time fabricate his own messages and send it to the remote station.
Threat of this kind falls into a number of categories, i.e. fabrication, modification, and
interruption [18].
52
3. Another attack is the man in the middle attack where a device can be put in between the
two end stations and this device will read and modify the messages. This attack falls into
all the threat categories of interruption, interception, modification and fabrication [18].
These attacks are common to all protocol layers and are hence generic. There are attacks which
can be specific to every protocol layer based on exploiting its structure. These attacks impact
confidentiality by obtaining configuration data and network topology information. Integrity
attacks insert erroneous data or reconfigure outstations. Attacks on availability cause outstation
devices to lose key functionality or disrupt communications with the master [18].
Data link layer specific attacks are as follows.
4. The data link layer frame structure has a length field, this length field can be modified
and hence will disturb the message processing at the remote station and confuse the
whole flow. The threat categories into which these fall are interruption and modification
[18].
5. The data link frame has a field which indicates if the outstation device is busy and the
request must be sent in at a later point of time. This flag can be modified and set in such a
way that it indicates that the outstation device is free and then the master station will
bombard the remote station with multiple requests causing denial of service. If it is set as
busy, then the master assumes that the remote station is busy and hence will not send any
message and results in remote station being idle. This also a type of denial of service
[18].
6. The function code 01 can be used to reset the user process. This restarts the remote
station and makes it unavailable for a period of time. After restart it might also restore it
53
to an inconsistent state. This attack mainly falls into threat categories of interruption and
modification [18].
7. The function code 14 or 15 cause can be used by attacker to the master to understand that
either the service is unavailable or not implemented in the system. Hence there are not
requests sent out to this target device and so results in unavailability of the system [18].
8. The destination address of the packet can be altered so that the packet is either redirected
or is lost. If the packet reaches another system then it will be an erroneous request and
gives wrong results. If the address is changed to a broadcast address then it will reach all
the systems and hence cause a complete failure of the system which can be catastrophic.
Threat categories of this kind of attack are modification, fabrication, interruption [18].
Pseudo transport layer specific attacks are as follows.
9. The attacks that target this layer are only by modifying the flag fields and the sequence
number. Modifying the flag fields is basically interrupting the fragmented message. The
FIR flag indicates the start of the sequence of fragmented messages, so if a packet is
fabricated with another FIR flag and introduced in the flow then it will disturb the whole
sequence and will cause these packets to be dropped. If a message with FIN flag is
fabricated and introduced that will be the end of message and will terminate the process,
resulting in an incomplete message [18].
10. The transport of packets follow a sequence and this is tracked with the sequence number.
If a packet is obtained and the sequence number can be read. Since sequence number is a
simple increment, a message can be fabricated with the next sequence number and
injected into the flow. This message might cause processing errors at the master or
54
outstation. Threat categories into which this vulnerabilities fall are interruption,
modification and fabrication [18].
Application layer specific attacks are as follows.
11. Function code 02 which is write data into the target outstation device is fabricated and
sent. This will write data and corrupt the system. It could cause complete downfall of the
memory of the remote station since it contains erroneous data. Threat categories are
interruption and modification [18].
12. A message with function code 9 or 10 is sent which clears all the data in the remote
station. This can cause loss of critical data, malfunction or crashing of the system. The
message with function code 10 is hard to detect because it does not require an
acknowledgement [18].
13. A data packet with function code 15 can be sent which reinitializes all the data in the
remote station memory and hence bring the system to an inconsistent state. This would
result in a dysfunctional system and hence cause problems. Threat categories into which
this attack falls are interruption and modification [18].
14. A data packet could be sent with function code 18 and hence terminates the functions on
the remote station. This makes the system more unresponsive and hence denial of service
[18].
15. There is a two byte field in the application layer packet which is called as internal
indicators. When fifth bit in the second byte of the IIN set, which indicates that the
configuration file of the targeted outstation is corrupted. This will cause the master to
make a new configuration file and then send it again to the remote station. This
55
configuration file can be intercepted and modified. The corrupted file can be uploaded
into the target which will make it function incorrectly [18].
The above 15 attacks have very severe impacts on the system. The attacks result in denial of
service, insertion of erroneous data affects integrity of the system. Most alarming attacks are
those which spoof the master and seize partial or complete control of the master station and hence
can cause a complete havoc. Confidentiality of the data is lost when device configuration is
obtained by the attacker. The attacker could also trip a circuit breaker in the remote station
without its awareness in master station and could cause serious problems if the alarm doesn’t go
on [18].
4.6 Countermeasures For Enhancing DNP3 Security
In order to combat the above attacks there must be solutions developed which make it more
usable and hence provides reliability of data transmitted as well as protected data. In this section
we discuss the various solutions that have been proposed [16] [19] [20] and how they overcome
the vulnerabilities in the system.
The Security approaches are divided into three categories:
1) Solutions that wrap the DNP3 protocols without making changes to the protocols,
2) Solutions that alter the DNP3 protocols fundamentally, and
3) Enhancements to the DNP3 application.
The solutions that wrap the protocols include SSL/TLS and IPSec, which would provide a quick
and low-cost security enhancement. The solutions that would require altering the DNP3 protocols
tend to be more time-consuming to implement and expensive but provide better end-to-end
security, (more application specific security).
4.6.1 Solutions That Wrap The DNP3 Protocols Without Making Changes To The Protocols
56
4.6.1.1 SSL/TLS Solution
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) solution has been used over the
internet to provide secure communication over TCP/IP. It provides mutual authentication between
the two end points and also preserves the integrity of the data by using digital signatures and
privacy via encryption. They prevent man in middle attacks and replay attacks. Now by wrapping
DNP3 with SSL/TLS have some advantages like it provides complete security at the protocol
level implementation, it’s a fast, effective and straight forward implementation, and also it is
security standard for communication protocols. They have some limitations like they can run on
reliable TCP infrastructure, has some performance costs added, cannot provide non-repudiation
service, only channel security, rely completely on encryption and signature algorithms and does
not provide end to end security. End to end security is not provided because there a number of
protocol layers before the SSL/TLS layer. These limitations can hence allow attack based out of
traffic analysis or cannot prevent connection reset since it’s a very lower level protocol
implementation [19].
In order to exploit its security advantages, the implementation can be done using Open SSL
technique. Open SSL is non-proprietary and open to public and is available free of charge.
Because it is used by a set of heterogeneous customers, if vulnerabilities are found then it can be
easily extended onto SCADA architecture as well. The only disadvantage is since it does not
provide accountability, malicious code can be easily added. Figure 4-8 gives the protocol stack
where this solution [19].
Figure 4-8: Protocol Stack (Gray-background protocols are secured alternatives) [19]
57
4.6.1.2 IPSec (secure IP) Solution
Instead of providing security at the TCP level, security can be provided at the IP level using
IPSec solution [19]. Since this is placed at a lower level in the stack, it not only protects the IP
traffic but in turn protects the TCP traffic as well (See figure 4-8). TCP solution of SSL/TLS
could not protect from denial of service or connection reset attack since it was placed at a layer
above TCP. But the IP Sec solution prevents entry of arbitrary packets and as well as connection
reset because connection is done after it is inside the secured network layer. IPSec provides
security for all the traffic since it is placed at the lowest level. This solution has some limitations
like it is more sensitive to interference by intermediate devices in the communication path, it is
less flexible in terms of security provided since it does not provide application specific security
but just encrypts every packet and sends it irrespective of its application [19].
4.6.2 Enhancements To DNP3 Applications
The SSL/TLS solution and IPSec solution lack in providing end to end security. Therefore
cryptographic techniques can be used in order to provide this level of security. DNP3 user group
had researched on two cryptographic techniques and tested it on a prototype which is presented
here [16].
1. Authentication Octets: This is a digital signature based algorithm. Additional bytes are
added to the packets which flow from the master to the remote station called as
authentication octets. The purpose of adding these bytes is to authenticate the source.
Figure 4-9 gives the schematic of how this algorithm is implemented. Authentication
octets that are appended to the message is encrypted using the master’s private key. Since
the whole message is not encrypted, processing power is saved. The private public keys
distribution is this algorithm is assumed to have been stored locally and hence there is no
58
need for certificate authority. The message is also time stamped to avoid replay attacks.
The RTU verifies with that the time of reception does not vary form the time of
transmission beyond a specified range. At RTU the authentication objects is decrypted
with the public key and compares it with the hash digest calculated by the separately by
the remote station. If matched the data is unmodified during transit. The decryption
technique makes sure that the message is from an authentic source. But this method does
not protect from eavesdropping. But in SCADA network the requirement of having
better authentication takes priority to eavesdropping [16].
Figure 4-9:Authentication Using Authentication Octets [16]
2. Authentication via challenge response: In order to overcome man in the middle attack,
master and remote station use challenge and response cryptography. In this technique
both the devices have a shared key. Device which starts communication initiates a
challenge to authenticate the other device. A challenge consists of a random number
generated at the MTU and sent to the RTU. The RTU uses this random number and
59
encrypts it with the shared key. The result message is sent to the MTU. The MTU
decrypts using the shared key and checks if the decrypted result is same as the random
number it originally generated. If it matches then RTU authenticated itself to the MTU
else MTU terminates the connection. In order to verify authenticity after connection is
established, e.g. during times when it receives a critical command for shut down or when
values are out of typical range then RTU can again send the challenge to MTU [16].
The above two solutions were implemented and tested[16] on a testbed at the University of
Louisville; the testbed consisted of one master and 5 remote stations. 4 of the remote stations
were connected to RTU through Ethernet while the 5th station was connected wirelessly. Snort
intrusion detection sensors analyze the communication to extract relevant information to alert the
administrator of unauthorized intrusions. The results showed in the table 4-2. Though
authentication octets and challenge response takes comparatively more time they also provide
enhance security features.
Total communication time (in
milliseconds)
No Security 325
With SSL/TLS 373
With authentication Octets (software
encryption)
2146
With authentication Octets (Hardware
encryption)
764
Challenge response 446
Table 4-1: Comparison Of Security Approaches
60
4.6.3 Secure DNP3
DNP user group started working on the Secure DNP3 from 2002. Secure DNP3 adds
authentication and integrity protection to the existing DNP3 protocol [21] [22]. It modifies the
application layer protocol and is bidirectional. Because of these features it can be implemented on
any kind of communication medium like TCP/IP, serial links etc. This protocol defines 4
scenarios when authentication is performed.
1. Session initialization: When a session is started, both the end stations are authenticated to
prevent spoofing, replay attacks. Unique session key is generated and exchanged using
the pre-shared keys [21].
2. Periodic Authentication: The master and remote stations periodically verify each others
identity and authenticate each other in a minimum time interval of 20 minutes and a
maximum of 60 minutes. A new unique session key is generated and exchanged while
performing periodic updates [21].
3. Requests with Critical Function Codes: Because attackers generally use the critical
functions codes to bring down the system. Authentication mechanisms are used before
responding to critical functions [21].
There are two modes or ways of authentication [22]. These are:
Challenge-Response Mode
Aggressive Mode
Challenge Response Mode: This method of authentication is same as authentication via challenge
response discussed in section 4.6.3. The figure 4-10 below gives the schematic of this method.
The figure describes the action taken by the remote station when a message with critical function
61
code is sent. Before processing the request it will first pose a challenge to the MTU to
authenticate itself. Once that is successful it will process the request [22].
Figure 4-10:Message Sequence In Challenge-Response Mode [22]
Aggressive mode: There are a number of steps in the above method in order to authenticate and
hence is time consuming. Another method is the aggressive method in which the along with the
critical function code the random number is also attached and sent to the destination for
authentication. The destination does the same process as above and authenticates itself thereby
saving time. There is a risk of replay attacks but this can be eliminated if external replay
protection is provided [22]. The schematic of this algorithm is shown in figure 4-11 below.
Figure 4-11: Message Flow In Aggressive Mode [22]
62
One of the key steps in the above two methods is the sharing of preliminary session key. Secure
DNP3 defines a two ways to do it i.e. manual distribution and using the generating fresh session
keys periodically over the entire session. There is a requirement for a set of new function codes to
be defined in order to support the above two methods [22]. These are listed below.
Function Code Type of Function
32 Authentication Request
33 Authentication Reply
34 Authentication Error
131 Authentication Challenge
132 Unsolicited Authentication Challenge
Table 4-2: New Functions Codes Introduced To Support The Secure DNP3 Protocol
4.6.4 Distributed Network Protocol Version 3 Security (DNPSec) Framework
This method of securing DNP3 makes some modifications to the protocol structure. Also the key
exchange in this frame work is done during the installation and connection setup between master
and remote station. The various functionalities that this framework provides are verification of the
origin of the frame, assurance that the frame is not modified in that path of transit, replay
protection, and protection from eavesdropping by encryption. The 32 CRC bytes (282 bytes of
data section with CRC minus 250 bytes of plain data) used in pseudo transport layer are redefined
in this framework [20].
The figure 4-12 below shows the new frame format for DNPSec [20].
63
Figure 4-12: DNPSec Protocol Structure [20]
The protocol structure has a new header which is 4 bytes long. It contains the destination address,
MH flag bit which indicates if the packet is from primary host or from the secondary host, the SK
flag bit indicates if its new session key for the destination or it has to decrypt with the old session
key and has another 14 bits which are reserved [20].
The sequence number indicates the order of the message. It increments with every packet the
master sends and cycles back at 2^32-1. When a new session key needs to be established, the
present session must be terminated and a new frame with sequence number 0 and new session key
must be sent. DNPSec maintains a session key life time period to keep track of the life span of a
particular session key [20].
The original link header and payload is protected by encryption (excluding the CRC). It is
composed of 264 bytes field containing, 8 link protocol data unit header bytes, 250 Transport
Protocol Data Unit bytes, and 6 padding dummy bytes [20].
The authentication data field contains the integrity check value (ICV). This value is calculated
with the sequence number field, original LH field and payload data fields. The function of this
64
field is to provide integrity services and is done by using message authentication algorithm such
as, HMAC-MD5-96 or HMAC-SHA-1-96. The steps for evaluation and comparison must be
given in the integrity algorithm specification [20].
Key management operations take place at 3 specific scenarios. First when the session is being
established, second when the timeout has taken place and third when new session key is
generated and sequence number is restarted. The master maintains a database which is secure
with all the shared keys. There are 4 fields in the database. Destination address, session key, time
duration for which the key needs to be alive and the key sequence number. At the destination, it
has to maintain two keys; one for the primary host and another for the secondary host [20]. They
key management is showed in the figure 4-13.
Figure 4-13: DNPSec Request/Response Link Communications [20]
65
4.7 Comparison Of DNP3 Countermeasures
SCADA/DNP3 Security
Solutions
Advantages Disadvantages
Wrapping DNP3 frame
with SSL/TLS The IEC Technical
Committee has
accepted SSL/TLS as
part of a security
standard for their
communication
protocol
Freely available for all
common OS
Relatively mature
Run only on a
reliable transport
protocol (TCP and
not for UDP)
High performance
cost
No non-repudiation
services
Can’t protect data
before it is sent or
after it arrives its
destination
Implementation of
the protocol
required
understanding of
the application, OS,
and its specific
system calls.
CA are rather
expensive and not
really compatible
with each other
Wrapping DNP3 frame
with IPSec Protection against
DOS
Implemented by
Operating Systems,
Routers, etc.
Transparent to
applications (below
transport layer)
No need to upgrade
applications
Very complex and
hard to implement
Higher
performance cost
All devices shall
support TCP and
UDP
communications on
port number 20000
DNPSec End-to-End security at
the application level to
support any
communication link
Protocol is simple
eliminating the
complexity of the key
exchange and
management issues
Required some
modification to the
DNP3 Data Link
Layer
Theoretical
approach, needs to
proof the concept
(in going work)
66
Implement it once for
all communication
networks
67
Chapter 5
MODBUS PROTOCOL VULNERABILITIES AND COUNTERMEASURES
5.1 Introduction To Modbus Protocol
The Modbus protocol was developed specifically for SCADA and has become the de facto
industrial standard. Many vendors use this protocol and develop systems and produce equipment
[23]. The figure 5-1 below gives the Modbus protocol stack in comparison with the 7 layers of
OSI Model.
Figure 5-1: Modbus Protocol And ISO/OSI Model Comparison [23]
MODBUS is an application layer messaging protocol for client/server communication between
devices connected on different types of buses or networks [23]. It is currently implemented using:
TCP/IP over Ethernet.
Asynchronous serial transmission over a variety of media (wire: EIA/TIA-232-E, EIA-
422, EIA/TIA-485-A; fiber, radio, etc.)
MODBUS PLUS, a high speed token passing network.
68
Figure 5-2: Modbus Communication Stack [23]
Some features of Modbus protocol don’t change like the frame structure, exception responses etc.
but it can be used over any type of communication medium. This protocol works on the master
slave principle where in a request is sent to a particular remote station and a response to that will
be sent back. If it is of broadcast type then no response is received. Data can be exchanged in two
transmission modes i.e. ASCII – readable, used e.g. for testing, RTU – compact and faster; used
for normal operation (hex). The RTU mode is most preferred since it has shorter frames and also
has parity check, redundancy check or CRC. While the ASCII mode has longer messages and
hence slows down the system. The Modbus protocol also has two variants Modbus serial and
Modbus TCP. Serial protocol is one which works in ASCII and RTU transmission modes while
Modbus TCP works on IP interconnected networks. The TCP variant allows a master to have
multiple outstanding transactions and the remote station to engage in parallel execution of
transactions from multiple hosts [23]. The main functions of Modbus protocol are as follows.
Coil control commands for reading and setting a single coil or a group of coils
Input control commands for reading input status of a group of inputs
69
Register control commands for reading and setting one or more holding registers
Diagnostics test and report functions
Program functions
Polling control functions
Reset
Vulnerabilities in this protocol can be exploited to such a great extent that it can affect the remote
station devices to even spoofing the master and taking over the control. These vulnerabilities are
discussed below [23].
5.2 Protocol Specifics
The message format for the Modbus protocol [17] is as shown in figure 5-3.
Figure 5-3: Modbus Protocol Frame Format [17]
The first field is the single byte field which stores the address. In the request frame it has the
destination address. In response frame it has the master’s address. The Modbus protocol can have
a maximum of 248 slaves that it can service but in the real world every master has a maximum of
2-3 slaves. The second byte indicates the function needed to be carried out at the destination. In a
request frame this byte identifies the function that the target is to perform. If the request was
completed successfully at the target station then the function field will be echoed back else if it is
unsuccessful it will be sent with the most significant bit set thus signaling an exception response.
The third field is the data field and varies in length based on the function code in the frame. The
70
last two bytes are the CRC field for error check in the frame. The second byte in the frame is the
function field which has a number of function codes [17]. Table 5-1 below gives the list of
function codes and their meaning.
Table 5-1: Functions Codes In A Modbus Protocol Frame. [23]
Exception responses are generated when an illegal request is obtained at the target station. The
fields of an exception response indicate the address of the responding controller, function number
with MSB set to 1, appropriate exception function code, CRC-16 checksum [23].
Table 5-2: Exceptions Functions Codes For Modbus Protocol. [23]
71
5.3 Modbus Serial Protocol
Modbus Serial protocol messages are transmitted between a master and slave devices over serial
lines using the ASCII or RTU transmission modes [24].
Figure 5-4: Modbus Serial Architecture [24]
The message have 3 components as shown in figure 5-4, slave address, Modbus application
protocol data unit and the error checking field. The address field is the destination address based
on if it a request or a reply. A broadcast message has address 0 and hence does not indicate any
particular slave address. The PDU has two subfields, the function code and the function
parameters. The function parameters field contains data pertaining to function’s invocation
(request messages) or function’s results (response messages). Modbus functions codes can be
classified into 3 categories, public codes, user-defined codes, reserved codes. Public codes are the
basic functions of read and write. Reserved codes are used for compatibility with the legacy
system and user-defined are vendor specific codes [24].
72
5.4 Modbus TCP protocol
This protocol works on both the LAN based network as well as IP based network [24]. Figure 5-5
below shows a master connected to multiple slaves via an IP network. The master is connected to
the control center’s database and historians. In the Modbus TCP protocol, Slave is designated to
be the server while the master is designated to be the client since the slave does only passive
operations. Multiple outstanding transactions can be present on the channel established [24].
Figure 5-5: Modbus TCP Architecture [24]
Since the Modbus TCP protocol encapsulates its messages in TCP packets, TCP PDU includes
the Modbus application protocol (MBAP) in addition to the Modbus application PDU used in the
serial protocol. The MBAP header has four fields; transaction identifier, protocol identifier,
length and unit identifier. Pair matching of requests and replies is done by the transaction
identifier while the protocol identifier indicates the application protocol encapsulated by the
MBAP header (zero for Modbus). Unit identifier indicates the slave associated with the
73
transaction and is used only for legacy systems. The length field gives the number of bytes
remaining in the rest of the data packet [24].
5.5 Vulnerabilities And Attacks In Modbus Protocol
Attacks on Modbus system and network can exploit protocol specifications, vendor
implementations of Modbus protocol and infrastructure. Similar to the DNP3 protocol, threats can
be divided into 4 categories i.e. interruption, interception, modification and fabrication. In
Modbus serial protocol attacks can be done on the master, slave and the serial communication
network. In Modbus TCP, attacks can be done on the IP network as well as the master and slave
devices [24].
These attacks affect confidentiality of the information transmitted because the message contents
will be accessed. It affects the availability of the system since it can result in denial of service. It
affects the integrity of the data since the messages can be fabricated by a middle man. The attacks
can be grouped into 3 categories i.e. attacks unique to Modbus serial protocol, Modbus TCP
protocol and attacks common to both serial and TCP protocols [24].
5.5.1 Serial Only Attacks
Attacks are carried out on the Modbus protocol structure where a function code within the packet
is modified and hence the result of acts corrupts the end system [24],[25].
When the function code 08 and sub function code 0A is sent to the target device, it clears
the counters and alters the diagnostic register values. This changes the configuration of
the field device and impacts the diagnostic operations. The threat category of this kind of
attack is modification of field device [25].
When the function code remains same i.e. 08 and sub function code changes to 01 the end
device restarts and executes its power up test. This message causes the field device to
74
change the configuration settings since they will not be restored to the original but to the
default and also rendered inoperable since it is asked to restart repeatedly. Threat
category into which this falls in is interruption and modification [25].
Function code of 17 when sent to the field device it returns the field device status
information which can be sniffed and studied to carry out more attacks. This impacts the
confidentiality of the system [25].
5.5.2 Serial And TCP Attacks
This category of attacks might disable the whole communication path by blocking Modbus
messages. There are some more serious attacks which can take over the control from the master
station and can completely disrupt the operation of the system [24] [25] [26].
Messages can be broadcasted from the middle man to the field devices and the attack can
go undetected since there are no reply messages for broadcast requests. This can bring
down the whole set of remote stations and can hamper the whole operation. Threat
category of this attack is interruption and modification [26].
Messages flowing between the master and field devices can be stored and replayed. In
this way the middle man will confuse the end devices and spoil the flow of operations.
Threat categories into which this attack belongs to is interruption, modification, and
fabrication [26].
The middle man can randomly generate addresses and send messages to the field devices
to obtain its configuration and status information. This scanning attack causes loss of
confidentiality of information. Threat categories to which this attack belongs is
interception [26].
75
Another attack is delaying the flow of information to the master from the slave so that it
receives out of data messages and hence discards it. This attacks threatens the system by
interrupting and modifying the messages [26].
5.5.3 TCP Only Attacks
The attacks listed here are specific to Modbus TCP [24],[26]
This kind of attack affects the property of framed messages in TCP. Multiple Modbus
messages cannot be placed in a single TCP packet. Hence the messages will be
fragmented by the master and sent to the remote station. This attack will inject
improperly fragmented messages or modifies the messages and sends them. Threat
category into which this falls into is interruption [26].
An illegal packet with the final frame bit set will be sent which will close the TCP
connection. This kind of packet can be sent following any Modbus message and hence
assume end of transaction. Threat category of this attack is interruption [26].
Bombarding the field device or the master with transactions which belong to the higher
priority pool will cause denial of service. There are multiple pool categories in TCP
protocol since there can be multiple transactions outstanding. Hence if the pool is flooded
with illicit packets then it will not accept legitimate packets and stop the service. This
threat takes place because of the interruption of the devices [26].
Impacts of the above attacks are loss of confidentiality occurs when an attack reveals information
about field devices, network topology or messages. Loss of availability occurs when operators are
unable to obtain accurate and timely information about a process either due to denial of service or
data modification; attacks interrupt field devices, network connectivity or messages, as well as
76
those that modify the master or involve the fabrication of field devices. The worst category, loss
of integrity, occurs when an attacker spoofs the master and/or seizes control of the process;
attacks modify field devices, network paths or messages as well as those that result in the
fabrication of the master, network paths or messages [26].
5.6 Countermeasures For Enhancing Modbus Security
This section talks about the countermeasures that can be applied on Modbus protocol to provide
security. The common security threats among the ones listed above are as follows.
When the master sends a message to the field device, it needs to first authenticate the device from
which it obtained the packet and then process the packet. Modbus protocol lacks this ability and
hence middle man attacks can easily take place in Modbus. This middle man can bombard the
slave units with messages and cause denial of service to the original legal master. The middle
man can also carry out replay attacks i.e. capture the packets being sent and reuse them by
fabricating it to do some other functions.
The best way to solve this issue is by repairing the Modbus protocol at its source. But this will
require architecture modifications which are significant changes. Another way to approach this
issue is by introducing smaller security mechanisms to protect against attacks.
5.6.1 Secure Modbus Protocol
A secure Modbus protocol must preserve confidentiality, integrity of the message. In order to
satisfy these requirements unauthorized entity must not be allowed to access or modify the
contents of the message. Also there should not be a middle man who can emulate the master or
can negate a performed action [27].
In the original protocol, there is protocol data unit which is independent of the communication
layer. When the Modbus messages are mapped to the structure of the bus or network it introduces
additional fields. In the Modbus TCP protocol frame structure there is MBAP header where target
77
address field in serial message packet is replaced by one-byte Unit Identifier in the MBAP
Header. Error checking field is removed and length information is added. The length information
is stored so that the receiving field device can identify the message boundaries when messages
are broken down into packets. The Modbus packet can have variable sized or fixed size data
fields. To identify if the entire message is received, in fixed size packets the information is
inherent with the function codes. For function codes with variable data sizes there is a byte count
field which transfers this information [27].
The secure architecture that is covered below is intended to satisfy the following security
requirements [27].
1. Integrity of the data is maintained by using a secure hash algorithm. SHA2 is used to
generate the digest and transmitted along with the packet. The integrity is verified by
computing the digest with the same algorithm and comparing it [27].
2. The above scheme does not prevent a middle man to create an own packet and send it to
the field device. To avoid this kind of attack it is important to authenticate the master.
Therefore a signature based scheme should be used. In this secure Modbus architecture
RSA based signature algorithm is used. The master signs the digest with the private key
and the field end device will use the public key to release the digest and check on
authenticity. With this algorithm even availability will be fulfilled since only the owner
with the specific private key can send the packet [27].
3. The above two schemes don’t provide replay protection. Reason being the packet can be
sniffed and obtained by a middle man. Hence a time stamp scheme is used which will
help identify if the packet was sniffed or is the original packet [27]. The packet structure
incorporating time stamp is shown below
78
Figure 5-6: Secure Modbus Application Data Unit [27]
The time stamp is applied by the master device creating the packet and appended to the
packet and sent to the destination. The destination checks this packet along with a pre-defined
and configured time interval. If the packet has reached within a time limit then it will be a
valid packet. One way of implementing this is by using the network time protocol (NTP). The
NTP provides high precision for time interval by synchronizing the clocks of computer
systems over packet switched, variable- latency data networks. NTP requires additional
equipment to be installed which is the NTP time server. This server provides reliable clock
for all communicating devices [27].
Since Modbus is a protocol which was developed for old legacy systems in SCADA,
applying the above stated extensions to this protocol requires more computing power at
master and slave devices. In order to retrofit with the legacy systems a Modbus secure
gateway [27] was implemented which carries out the above procedures to make the packet
transmission more secure. Figure 5-7 below presents a schematic diagram of the Modbus
Secure Gateway.
79
Figure 5-7: Modbus Secure Gateway [27]
This gateway is placed between the Modbus master and provides a multi-homed gateway with a
TCP/IP interface connected on the master side and a set of point-to-point TCP or serial links
connected to legacy slaves [27]. Operation of the gateway is as follows.
When it receives a packet from the master side which flows to the slave, it carries out the
following steps.
1. It discards any unauthenticated packets
2. Extracts the Modbus packet by implementing applying the SHA algorithm and checking
it the packet has maintained its integrity.
3. It then forwards the packet to the particular slave destination
When it receives a packet from the slave device flowing towards the master it carries out the
following steps [27]
1. It creates the secure Modbus packet from the original Modbus packet
80
2. It signs the packet digest with its private key.
3. Sends the packet over to the master.
The steps to be followed when sending and verifying a secure Modbus packet is as follows [27]
1. The master creates the packet with function code required to carry out that command
execution and the slave address. It also time stamps it. (Mreq)
2. Then it computes the digest, encrypts it with the private key(pKm) and sends the request
to the slave or the gateway
C = [TS|Modbus]{SHA2(TS|Modbus)}pKm
3. The gateway or slave verifies the packet by using public key(sKm)
Mreq = {C}sKm
After verifying the benignity of the packet the slave address is read from the MBAP header and
sent to the appropriate address. Same procedure is followed when the flow of packets take place
other way round.
Implementation of the above architecture can be done in the following manner. Communication
layer between the OS and the Secure Modbus device was implemented using sockets. The
TCP/IP library only provides stream sockets using TCP and a connection-based communication
service. Figure 5-8 below presents the architecture of the Secure Modbus module that implements
socket-based communications. The TCP/IP level manages the establishment and termination of
connections, and the data flow in an established connection.
81
Figure 5-8: Secure Modbus Module [27]
The various components in the above module are TCP stream builder which sets up the
connection parameters. Keep-alive time period are used to detect inactivity of systems and hence
if there is a small keep-alive time when it will close the connection very fast. TCP-no delay is
used for real time systems. The time out of the function can be modified according to the
requirements of the system [27].
The Modbus has 4 main components. Modbus stream builder extracts the secure Modbus packet
contained in the TCP packet and sends it to the RSA unit. After verifying the authenticity it will
send the packet to the SHA-2 unit which will verify the integrity of the data. Then it will send the
packet to the time stamp analyzer to verify its freshness. The RSA unit does the encryption or
decryption using the respective private or public keys. SHA-2 will validate the hash values.
Modbus ADU Builder/Reader constructs and manages the secure Modbus application data unit.
Time stamp analyzer verifies the validity using NTP service [27].
The Secure Modbus protocol was tested using an experimental power plant testbed. Figure 5-9
below shows the components of the SCADA testbed [27].
82
Figure 5-9: SCADA Test Bed Developed To Verify Secure Modbus Protocol [27]
The components in the SCADA testbed are the field network which is a network of al the
actuators and the sensors. The process network is used to plant operations, to send commands to
the field devices etc. Observer network is one which collects all the sensory data. Horizontal
services network supports as back up and disaster recovery. Intranet is the network within the
control center. Data exchange network allows data to be shared from the control center process
network to the corporate intranet [27].
Two experiments were conducted to evaluate the performance of the Secure Modbus protocol.
The first experiment examined the latency resulting from the use of the SHA2 hashing and RSA-
based signature schemes. The second examined the increased size of Secure Modbus packets for
various function codes [27].
Table 5-3 compares the communication latency for Modbus TCP and Secure Modbus. A
negligible difference is latency is observed for both sets of scan rate and connection time out.
Table 5-4 compares the packet sizes. Secure Modbus packets are larger than the corresponding
83
Modbus TCP packets. But this overhead is matched with communication networks with higher
communication bandwidth. So they equalize each other.
Table 5-3: Comparison Of Communication Latency [27]
Table 5-4: Comparison Of Packet Size [27]
The above secure Modbus gateway architecture provides a secure environment without
significant overhead. But it does not allow a middle man attack which seizes control of a master
and sends malicious messages to the Modbus unit. To address this attack scenario, a dedicated
filtering unit will identify suspect Modbus messages. Below is the description of the development
of the filtering unit and its features [27].
Here below is the description of the secure survivable SCADA architecture to combat attacks
wherein attacker is able to send a command packet to a slave. A command packet is illicit and a
firewall will allow it to flow through. Hence when the packet is sent from an illicit source it will
84
still flow through since it is a command packet. Therefore a solution to combat this is presented
below [27].
1. The master composes the packet normally (Mreq) and then the authenticity and integrity
of the packet is maintained by using the RSA and SHA algorithms.
2. This packet is then sent to the filtering unit which validates the packet using the master’s
public key.
Mreq = Dec {C, PKm}
3. The filtering unit analyzes the Modbus packet command and destination. If the
combination is unusual and dangerous to the slave unit then it will add it into the
dedicated stack of malformed packets.
4. If it is an untouched packet then it will authenticate the message with its own private key
pKf and send it to the slave unit.
MrF = Enc {Mr, pKf}
5. The slave (PLC) validates the filtered Modbus request (MrF) by the Filtering Unit’s
Public Key (PKf )
Mr = Dec {MrF,PKf }
6. The slave validates the Modbus request (Mreq) with the Master’s Public Key and
executes the command
Mreq = Dec {Mr,PKm}
But there is another security hole in this architecture. If the attacker takes control over both the
filtering unit as well as the master then it can reach the slave unit. To avoid this scenario a
concept of K-resilience is adopted [28]. This means a mesh of N filtering units which a stronger
operating system is deployed between the slave and master unit. The algorithm works in the
85
following manner, when the packet from the master reaches the filtering units, it is sent to at least
P filtering units. P should be greater than K. Each filtering unit verifies the authenticity and sends
it to the slave unit. If the slave unit at least obtains K number of packets of the same request then
it will process the command. Now the attacker has to corrupt P filtering units to reach the slave
[28]. Figure 5-10 below shows in detail the proposed architecture.
Figure 5-10: High Level Secure Survivable Architecture [28]
The proposed architecture will provide security is various areas. Does not allow corrupted packet
command execution. Because of the signatures used it will provide data integrity. Prevent replay
attacks with time stamps. Prevents a malicious master to send corrupted packets because of the
filters used and also prevents the risk of the attacker reaching the slave through its K- resilience
architecture [28].
The implementation of the prototype is as discussed below. Because of the physical architecture
of SCADA the key exchange can be done manually to each system in a secure manner. There is
no need for automatic key exchange. The RSA scheme was used for the signature based
algorithm. Hence the signature will be applied on the Modbus packet and then encapsulated in the
TCP packet. The basic communication layer between the operating system and the Modbus
86
device is guaranteed by a socket, which manage the keep-alive messages, the TCPNODELAY
and the TIME-OUT connections [28].
Components in the master slave unit should be designed for both functionalities of creating a
Modbus packet and interpreting the received packet. The Modbus Stream adapter extracts the
Modbus packet in the TCP packet and then authenticates it using RSA and checks its time stamp
with the TS analyzer. The Modbus ADU Builder/Reader will check if the packet has a valid
command to a valid address. It uses the message stack to store all the incoming messages and
validate from the intrusion detection system [28].
Components of the filtering unit are showed in the figure 5-11 below.
Figure 5-11: Filtering Unit Prototype [28]
Modbus Module consists of the following units. Rules database has the list of authorized
behaviors i.e. the right combination of command and destination. System description database
87
contains description of the system to be analyzed. This database works in sync with the rules
database to determine any malicious activity on the process network. The event tracker is used to
correlate events and is used in stack architecture. The Modbus analysis engine analysis all the
data collected from the above 3 units and identifies malicious behavior. Alert manager notifies
about the potential malicious activity [28].
Prototype testing was carried out with the aim of finding the delays introduced by the signature
algorithms and the mesh of filtering units. The size of the resulting packets was also analyzed.
Tables 5-5 and 5-6 show that the latency and delays introduced are comparatively small.
Table 5-5: Communication Latency With Modbus And Secure Modbus - Master Scan Rate Of
500ms And A Connection Timeout Of 1200ms [28]
Table 5-6: Modbus/TCP And Secure Modbus/TCP Packets Size, Tested With Different Functions
[28]
The tables 5-7 below lists the differences between FU applied on Modbus and secure Modbus
architectures. The filtering units do introduce significant delay but it would be very negligible
when compared it with Modbus and secure Modbus. The delay introduce by FU is the same for
all slave devices [28].
88
Table 5-7: Communication Latency In The Different Communications Steps [28]
To verify the functionality of this system a series of attacks were launched on the above prototype
and a SCADA architecture configured with 2 firewalls i.e. classical iptables and a WatchGuard
FW. It was observed that the above prototype significantly improved the system [28].
89
Chapter 6
RESEARCH ISSUES
There are a number of issues that require research to be carried out. Models for them need to be
developed appropriately [29]. Below are some of the issues that need more work.
6.1 Performance Requirements Of SCADA Systems
Chapter 4 discussed the various countermeasures that can be used to combat the security issues in
the DNP3 protocol. But all these techniques assume that the SCADA end systems have enough
resources to execute all the steps. But this is not true because the processing power of SCADA
end systems is not high. Hence implementing the techniques such as secure DNP3
authentication, timed network protocol, etc will bring down the performance of the system. This
is an important issue, which needs research [29].
6.2 Authentication And Authorization Of Users At The Field Substations
Authentication and authorization of the personnel who work at the substation is an issue that
needs research. The aim here is to have only intended users authenticating to assigned devices
and only perform the relevant functions to that user. This will prevent insider attack and have a
better logging system.
The access to the IED’s at the substations must be given to a specific user. Generally, it is given
to a number of users having specific role. These systems understand the meaning of role but are
not programmed to allow only the user who is assigned to that role. Therefore passwords are
shared among multiple maintenance personnel though assignment of roles may be different and
hence fail the purpose of having roles. Also since there are so many devices deployed in a
substation, the password that is shared may be common among many systems [29].
Sometimes these systems are accessed locally or remotely. Accessing these systems remotely
take place over low speed communication lines. Hence carrying out authentication of the user can
90
slow down the whole communication process. Therefore performing an authentication protocol
such as RADIUS or LDAP is undesirable. There should be some method implemented which will
allow normal system access appropriately during emergency situations [29].
6.3 Enhancing The Security Of Serial Communication
Some legacy systems consist of serial communication links between the control centers and
outstation devices. Most commonly used protocols on these serial links are DNP3, modbus
protocols. They transmit text in unencrypted format and hence can be easily sniffed. Also
solutions to enhance this such as wrapping protocols in IPSEC, SSL\TLS layer will put a load on
these low bandwidth communication links a bring down the system speed to a large extent. This
will impact the latency and bandwidth of communication and are not good solutions. Research
needs to be carried out in order to find a mechanism which balances between bring in encryption
and also at the same time do not affect the latency and bandwidth of the system [29].
6.4 Access Logs For The IED’s In Substations
Access to the IED’s at the substations must be logged in order to detect any malicious activity.
Even if there are logs that are maintained they will not be communicated to the control center
because of the low bandwidth issue. A solution is needed which will allow the access of these
logs from remotely for the control center and at the same time not compromise on the bandwidth
requirements. The solution should also consider the need of having a more centralized solution
even though the substations are distributed in nature [29].
6.5 Attacks From Which Side Channel Information Can Be Obtained
Cryptographic keys embedded into the equipment can be extracted using various attacks schemes
described below. Information obtained from these attacks is called side channel information and
can facilitate extraction of the entire cryptographic key using this method. By carrying attacks
based on timing measurements, power measurements, electromagnetic emission and faulty
91
hardware side channel information can be retrieved. Power analysis attack basically involves in
analysis of the power differences in the signal and converting the trace into logical zeroes and
ones in order to extract the key. Another attack is tempest attack which work on the principle that
electronic devices such as monitors emit electromagnetic radiations during normal use. This can
be obtained from a remote location using antennas etc and replay the information thereby
attacking privacy. Timings attacks are exploited in a way where timing information is obtained
from the way inputs are processed by the system, including cryptographic keys. Even though side
channel information does not provide complete information, it provides enough information that
can be amplified to analyze and extract keys [29].
6.6 Timing Information Dependency
Time reference is used by many power system models. Currently the advanced systems being
built are becoming more dependent on absolute time reference. In order to avoid replay actions
for security protocols, which use the time stamp scheme for authentication, it is necessary to have
an absolute time reference. Hence it is necessary to ensure that this timing information is not
tampered on any devices. An example is when certificates are used to bind an identity to the
public keys facilitating digital signatures and data encryption. When these certificates are
exchanged, if the receiving end’s time reference is tampered then it might reject the certificate
because it has expired or hasn’t reached at the appropriate time, malicious connections might be
set up etc. Timing information is also used in time stamps in logs. These logs are used with
multiple other logs from other resources to analyze the sequence of events and find any malicious
activity. Hence it is necessary to provide synchronized clocks which are tamper proof [29].
6.7 Software Patches Update
Devices in remote stations like IEDs, PLCs etc are deployed in a distributed and isolated manner.
The software and patches update to these devices cannot be done very easily. It’s a complex
92
procedure which involves testing on backup systems and then deploying it in the production
systems. The electrical sector operates in a slightly different manner that the regular IT systems.
First the risk and impact of the vulnerability needs to be determined and based on its priority level
the patches need to be deployed. The process of developing this scheme needs to be researched
on in more detail so that a structure to this procedure is obtained [29].
6.8 Intrusion Detection Equipment For The Field Devices And The Control Systems
The communication between the master and field devices take place using Modbus or DNP3
protocol. In the legacy systems Modbus has already been deployed. In the newer systems DNP3
protocol is more prominent. There needs to be well developed intrusion detection mechanism
which will support both the protocols and also carry out the event detection and analysis. The
standard that is being built needs to have good understanding of the operation of the field device,
main station and the protocol. With this ability the model can detect malicious commands that
come in to disturb the operation of the entire system [29].
6.9 Authentication Of The Users To Control System Equipment
The control center use operating systems such as UNIX or Windows. Standard enterprise
solutions of authenticating the user to this equipment are available. But these might need some
modifications, after taking into consideration its usage in electrical sector. Access policies such as
locking of screen during inactivity, expiring passwords are always not appropriate in equipment
in the control center. Therefore it needs to be researched on how new schemes can be developed
which fit into the requirements of the control center [29].
6.10 Legacy Systems With Limited Processing Power And Resources
Lifecycle of the equipment in the electrical sector ranges from 20 years to 30 years but security
technologies grow at a very rapid rate. Legacy systems are resources limited and it is difficult to
add the new security technologies since they are behind in development unlike the IT systems
93
which grow at the same rate as security technologies. Adding these security technologies to this
equipment might hinder its performance and might be impractical. It might also be difficult to put
in the security functionality just because it does not have the resources to support it. Hence
security mechanisms needs to be developed specifically to these legacy systems so that it does not
bring down the functionality of the system and also extends to the legacy systems. There needs to
be development of a more layered architecture provide a secure system [29].
6.11 Roles To Be Defined In The Control Center
There are a few well defined roles in the control center but with the introduction of various
security schemes there might be more number of roles that need to be introduced. These new
roles will basically consist of the maintenance and evaluation of security mechanisms introduced
into the latest system. Hence there needs to be compilation of all the roles in the control systems
and their responsibilities. The access control schemes for each of these roles also need to be
defined correctly so that there are no new vulnerabilities introduced into the system [29].
There are lots of areas in the SCADA that need a lot of research on. There is a general idea that
when a system fails it is because of the security mechanisms that have been implemented and so
they are all disabled. This criterion also needs to considered and models need to be developed
effectively [29].
94
Chapter 7
CONCLUSION
7.1 Summary
SCADA system used in the power grid has a number of security issues. The aim of this project
was to identify these security issues and countermeasures to combat them. Main functions of
SCADA are to manage and control the equipments that are responsible for delivering power.
Therefore, it consists of automated processes, which help it achieve this functionality. The three
main components of SCADA are the master terminal unit, remote terminal unit and the
communication channel between them. The master terminal unit is the control center that
manages and controls the actions of the remote terminal units. A remote terminal unit consists of
field devices that gather information on about the status of the system using sensory equipment
and control certain modules of the system using actuators. The communication channel provides
the link to share the collected data and at the same time sends the appropriate commands to field
devices to carry out its functions.
There are a number of vulnerabilities that can be exploited in the master terminal unit and remote
terminal unit The policy and procedure vulnerabilities such as inadequate security policy,
insecure architecture and design, insufficient guidelines to the personnel about equipment
security, few security audits, and lack of disaster recovery plan could cause sever impact on the
SCADA architecture. Platform vulnerabilities such as use of standard operating systems with
known security issues, password related issues such as usage of shared and unencrypted
passwords, access control issues such as lack of defined roles and privileges etc can cause
attacker to easily enter the system and disrupt operations.
The countermeasures used to overcome the issues stated above are developing structured
approach, which have specific functionalities such as, plan, guidance, enforcement and auditing
95
documentation to help SCADA personnel maintain the system in a secure manner.
Implementation of strong intrusion detections schemes, which will block any kind of illegal
traffic consisting of harmful commands to the system, needs to be developed and deployed in the
system. For SCADA system with serial communication links, bump in the wire technology used
in yet another security retrofit solution provides secure communication and at the same time
lesser processing latency and better bandwidth usage.
Two protocols used in the communication channel between the master and remote terminal unit
are Distributed Network Protocol (DNP 3.0) and Modbus protocol. Vulnerabilities in the DNP3
protocol layers can be exploited to cause interruption, interception, modification and fabrication
of communication between systems. The attacker can capture the message, analyze the traffic
pattern, modify parameters such as length field, function code field, destination address, and
sequence number field to cause denial of service.
There are various techniques that be implemented to avoid these attacks. Wrapping of DNP3
protocol structure in SSL/TLS layer or IPSEC layer will provide protection. However, this
approach does not provide secure authentication. Another approach is by carrying out protocol
enhancements with authentication octets or via challenge response implementation to provide
better authentication. Last approach discussed is the DNPSec framework to bring changes in the
protocol packet structure to protect against attacks. On comparing these approaches, DNPSec
framework provides good security. However, it is a theoretical idea and should be tested in a real
environment.
Modbus protocol works on both TCP/IP as well as serial communication link. Ways of attacking
the serial communication is by modifying function codes in the protocol to cause harm to the
system. Some of the illegal function codes used would clear registers, restart the system and can
cause failure of system operation. Middleman attacks such as broadcasting messages, replaying of
96
messages, random address generation, delaying the flow of information can take place. This can
hamper the system severely. The TCP packet structure in Modbus protocol can be changed to
carry out attacks such as closing the connection, denial of service etc.
A secure Modbus protocol can be built by modifying the packet structure. However, to retrofit
with the legacy systems, gateways can be introduced which provide integrity and authentication.
In order to avoid intermediary attacks a mesh of filtering units can be used with the K-resilience.
The countermeasures provide security to a certain extent. There are still some areas which need
more research such as an appropriate authentication mechanism that will not utilize excess
bandwidth, mechanisms to avoid side channels attacks etc.
7.2 Strengths and Weaknesses
This project has a comprehensive list of the potential and current security issues in the SCADA
system. Various countermeasure schemes are listed to overcome the security issues.
Countermeasures which retrofit into legacy system e.g. YASIR is discussed. Other
countermeasures, which can be implemented for both legacy and non-legacy systems such as
domain specific IDS, demilitarized zones, are also discussed. The secure Modbus architecture fits
into legacy communication systems by using gateways and at the same time provides very secure
communication architecture using mesh of filtering units for Modbus protocols. DNPSec
framework provides secure communication structure for DNP3 protocols. The advantage of using
this scheme is it provides end-to-end security at the application level, and the protocol is simple
eliminating the complexity of the key exchange and management issues.
Some weaknesses of this project are as discussed below. Implementation of firewalls, electronic
perimeter, demilitarized zones and intrusion detection system etc would block illegal traffic from
entering the network. These are strong countermeasure schemes, which need to be carefully
developed and tested. Various types of firewalls such as packet filtering firewalls, stateful
97
inspection firewalls, and application proxy gateway firewalls are available. In this project, we do
not analyze which among the above firewalls can be used at each entry point in the SCADA
network.
Another protocol used in control systems, is the IEC 870-5-101. Security issues and its
countermeasures for this protocol have not been discussed in this project because it is widely used
in Europe and not common in North American SCADA systems.
7.3 Future Work
The discussed countermeasure solutions such as secure Modbus architecture, DNPSec
implementation are theoretical concepts and require implementation in real systems. Intensive
testing of these implementations need to be carried out to make sure that the solutions provide all
security features as intended.
The various authentication schemes discussed in the countermeasures such as authentication
octets, challenge response use a considerable amount of the system resources and thereby bring
down its performance. Techniques that balance between providing the required security and at
the same time do no use much of the system resource requires some work.
The nature of SCADA system is that it maintains a connection between the master and remote
station for a long period. Hence a tool must be developed which monitors the credentials and trust
relationships that was validated at the time of connection.
A model needs to be developed in which external users (utilities, enterprise network) who access
the system must have some kind of access control capabilities defined. This needs more research
in order to prevent illicit access to the system.
Since many protocols are dependent on time information, there needs to be a protocol developed
which would help following the same absolute time over the entire system. This will help in the
time stamp schemes and as well as authentication.
98
REFERENCES
[1] Litos Strategic Communication,‖ Smartgrid introduction‖ [Online]
Available: http://www.oe.energy.gov/SmartGridIntroduction.htm
[2] Edward Chikuni, Department of Electrical Engineering Polytechnic University of Namibia,
Namibia, Maxwell Dondo, Defence R&D Ottawa, 2007 ― Investigating the Security of Electrical
Power Systems SCADA‖. [Online]
Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4401531&tag=1
[3] Micrologic System Inc, ―SCADA primer‖, [Online].
Available: http://www.micrologic-systems.com/primers/scada.htm
[4] Robert F. Dacey, Director, Information Security Issues Oct 2003, ―CRITICAL
INFRASTRUCTURE PROTECTION, Challenges in Securing Control Systems‖. [Online]
Available: http://www.gao.gov/new.items/d04140t.pdf
[5] Dr. Patricia A. Ralston, Dr. James H. Graham and Dr. Sandip C. Patel, Dept. of Computer
Engineering and Computer Science University of Louisville, July 2006, ―Literature Review of
Security and Risk Assessment of SCADA and DCS Systems‖. [Online]
Available: http://www.cs.louisville.edu/facilities/ISLab/tech%20papers/ISRL-TR-06-01.pdf
[6] D. Kilman, J. Stamp, April 2006, ―Framework for SCADA Security Policy,‖ [Online]
Available: http://www.sandia.gov/scada/documents/sand_2005_1002C.pdf
[7] D. Mussington, monograph published by RAND, Santa Monica, CA, 2002,―Concepts for
Enhancing Critical Infrastructure Protection: Relating Y2K to CIP Research and Development,‖
[Online]
Available: http://www.rand.org/pubs/monograph_reports/2005/MR1259.pdf
[8] K. Stouffer, J. Falco, F. Proctor, Proceedings of the 2004 TAPPI Summit, Atlanta, Georgia,
May 2004, 7 ―The NIST Process Control Security Requirements Forum (PCSRF) and the Future
of Industrial Control System Security,‖ [Online]
Available: http://www.isd.mel.nist.gov/documents/stouffer/TAPPI.pdf
[9] R. Melton, T. Fletcher, M. Earley, April 14, 2004, ―System Protection Profile-Industrial
Control Systems (SPP-ICS)‖ [Online]
Available: http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.pdf
[10] Keith Stouffer, Joe Falco, Karen Scarfone, NIST Sep 2008, ―Guide to Industrial Control
Systems (ICS) Security‖ [Online]
Available: http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
[11] Amanullah, International Islamic University Malaysia, A. Kalam, Victoria University of
Technology, member, IEEE, and A. Zayegh, Victoria University of Technology,
99
Australia. Member, IEEE 2005, ―Network Security Vulnerabilities in SCADA
and EMS‖. [Online]
Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1546981&tag=1
[12] Jason Stamp, John Dillinger, and William Young, Networked Systems Survivability and
Assurance Department, Jennifer DePoy, Information Operations Red Team & Assessments
Department, Sandia National Laboratories Albuquerque, NM 87185-0785, 22 May 2003,
―Common Vulnerabilities in Critical Infrastructure Control Systems‖. [Online]
Available: http://www.oe.netl.doe.gov/docs/prepare/vulnerabilities.pdf
[13] Riptech, January 2001, ―Understanding SCADA System Security Vulnerabilities‖, [Online]
Available:http://www.omegastar.com/rca/scada/scada.html. [Online]
Available: http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf
[14] Chee-Wooi Ten, Student Member, IEEE, Iowa State University, Manimaran Govindarasu,
Member, IEEE, Iowa State University, and Chen-Ching Liu, Fellow, IEEE, Iowa State University
2007, ―Cyber security for Electric Power Control and Automation Systems‖. [Online]
Available: http://powercyber.ece.iastate.edu/publications/SMC-conf.pdf
[15] Dale Peterson, Director, Network Security Practice Digital Bond, Inc, ―Intrusion Detection
and Cyber Security Monitoring of SCADA and DCS Networks‖. [Online]
Available:
http://www.isa.org/filestore/Division_TechPapers/GlassCeramics/TP04AUTOW046.pdf
[16] Sandip Patel, Information Science & Systems at Morgan State University, Baltimore,
Ganesh D. Bhatt, Department of Information Science & Systems at Morgan State University,
James H. Graham, Electrical and Computer Engineering at the University of Louisville, July
2009, ―Improving the Cyber Security of SCADA Communication Networks‖. [Online]
Available: http://portal.acm.org/citation.cfm?id=1538788.1538820
[17] Gordon Clarke, Deon Reynders, Edwin Wright, ―Practical Modern SCADA Protocols:
DNP3, 60870.5 and Related Systems‖ British Library Cataloguing in Publication Data, ISBN
07506 7995. [Online]
Available: http://www.sensorsportal.com/HTML/BOOKSTORE/SCADA_Protocols.htm
[18] Samuel East, Jonathan Butts, Mauricio Papa and Sujeet Shenoi, ―A Taxonomy of attacks on
the DNP3 protocol‖. [Online]
Available: http://www.springerlink.com/content/k48k4733v0367120
[19] James H. Graham, Sandip C. Patel, Dept. of Computer Engineering and Computer Science
University of Louisville, September 2004, ―Security Considerations in SCADA Communication
Protocols‖. [Online]
Available: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.84.1152
100
[20] Munir Majdalawieh1, Francesco Parisi-Presicce, Duminda Wijesekera,‖ DNPSec:
Distributed Network Protocol Version 3 (DNP3) Security Framework‖. [Online]
Available: http://www.acsac.org/2005/techblitz/majdalawieh.pdf
[21] Grant Gilchrist, PE, FnerNex Corporation, Okotoks, 2008,‖ Secure Authentication for
DNP3‖. [Online]
Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4596147
[22] A. B. M. Omar Faruk, KTH Electrical Engineering Master Thesis, Stockholm, Sweden, June
2008, ―Testing & Exploring Vulnerabilities of the Applications Implementing DNP3
Protocol‖.[Online]
Available:
http://www.kth.se/ees/omskolan/organisation/centra/ekc2/publications/modules/publications_polo
poly/reports/2008/XR-EE-ICS_2008_020.pdf
[23] Modbus Organization, ―Modbus Application Protocol Specification‖ [Online]
Available: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
[24] Peter Huitsing, Rodrigo Chandia, Mauricio Papa, Sujeet Shenoi, Department of Computer
Science, University of Tulsa, August 2008, ―Attack taxonomies for the Modbus protocols‖.
[Online]
Available: http://www.ee.kth.se/php/modules/publications/reports/2008/XR-EE-
ICS_2008_020.pdf
[25] Modbus Organization, ―MODBUS over Serial Line Specification and Implementation
Guide‖ [Online] Available: http://www.modbus-ida.org/tech.php
[26] Modbus Organization, ―MODBUS messaging on TCP/IP implementation guide‖ [Online]
Available: http://www.modbus-ida.org/toolkit.php
[27] Igor Nai Fovino, Andrea Carcano, Marcelo Masera and Alberto Trombetta, 2009, ―Design
and implementation of a secure Modbus protocol‖. [Online]
Avaiable: http://www.springerlink.com/content/14h764755h412m15/
[28] Nai Fovino, A. Carcano, M. Masera, Institute for the Protection and Security of the Citizen
Joint Research Centre, EU Commission via E. Fermi 1, 21027 Ispra, Italy, 2009, ―A Secure and
Survivable Architecture for SCADA Systems‖. [Online]
Available: http://portal.acm.org/citation.cfm?id=1603817
[29] Andrew Wright, N-Dimension Solutions, Daniel Thanos, GE Digital Energy, Carl Gunter,
University of Illinois, Ed Beroset, Elster, Frances Cleveland, Xanthus Consulting, William
Whyte, Ntru, Gilbert Sorebo, SAIC, Matthew Carpenter, InGuardians, Chris Ewing, SEL, Stan
Klein, OSECS,
101
Tim Yardley, University of Illinois, James Pace, Silver Springs Networks, Mauricio Papa,
University of Tulsa, Don Berkowitz, S&C Electric Company, Bruce Barnett, GE Research,
March 29, 2010, ― Bottom-Up Cyber Security Analysis of the Smart Grid‖.
[30] David Heyerman, May 3, 2009, ―the Smart Grid Frontier: Wide Open‖. [Online]
Available: http://tinycomb.com/2009/05/03/what-is-the-smart-grid/
[31] Ruggedcom, ―Typical Cyber Security Network Architecture‖ [Online]
Available: http://www.ruggedcom.com/applications/cyber-security/
[32] Tsang, P.P. and Smith, S.W., 2008, in IFIP International Federation for Information
Processing, Volume 278; Proceedings of the IFIP TC 11 23rd International Information Security
Conference; Sushil Jajodia, Pierangela Samarati, Stelvio Cimato; (Boston: Springer), pp. 445–
459. [Online]
Available: http://www.springer.com/computer/security+and+cryptology/book/978-0-387-09698-8
[33] Idaho National Laboratory, ―Control Systems Cyber Security: Defense in Depth Strategies‖
[Online] Available: http://csrp.inl.gov/Documents/Defense%20in%20Depth%20Strategies.pdf
[Insert your source documentation according to your departmental style guide].
[34] Dong-joo Kang, Hongik University, Korea, Rosslin John Robles, 2Department of
Multimedia Engineering, Hannam University 133 Ojeong-dong, Daeduk-gu, Daejeon, Korea,
International Journal of Advanced Science and Technology, Volume 8, July, 2009
―Compartmentalization of Protocols in SCADA Communication‖ [Online]
Available: http://www.sersc.org/journals/IJAST/vol8/4.pdf