Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG
UNIVERSITY OF ILLINOIS | DARTMOUTH COLLEGE | UC DAVIS | WASHINGTON STATE UNIVERSITY
FUNDING SUPPORT PROVIDED BY DOE-OE AND DHS S&T
GOALS
• Design is “physics-aware” Network Intrusion Detection System
(NIDS) for process control.
• Integrate NIDS cyber-physical state analytics within the process
data historian in EMS.
• Control environments include physical systems, switches, and control
programs.
• CONTROL: receive data from field devices process decide
issue switching commands.
• The combination of the safe operations of the protective schemes and
the physical assets can be described by a Hybrid Automaton model.
• Basic question: Can we use such models as the baseline for “safe”
behavior and use any set of message and command that is
inconsistent with that as the indication of an attack/anomaly?
FUNDAMENTAL QUESTIONS/CHALLENGES
• Validation of Hybrid Control NIDS (HC-NIDS).
– We developed an experimental framework to test HC-NIDS that
combines simulated physical and control environments interacting
with actual logic controllers (Siemens PLC using Modbus TCP).
• Integration with Data Management Services (OSIsoft case study).
– We are collaborating with OSIsoft, one of the industry leaders in
ICS data management systems, to implement inclusion of sensor
tags for appropriately located network taps.
– HC-NIDS rules are then implemented as analytics/queries of the
OSIsoft database.
RESEARCH PLAN
BROADER IMPACT
• Operators are made aware of Cyber-Physical State.
FUTURE EFFORTS
• Blind HC-NIDS: Learn the rules by analyzing traffic.
• Integrate OSIsoft with Wireshark so that it can leverage the extensive
literature.
Cyber-Physical Data Analytics Based on “Hybrid Control”
Network Intrusion DetectionGeorgia Koutsandria, Masood Parvania, Reinhard Gentz, Mehdi Jamei, Vishak Muthukumar
Researchers: Masood Parvania, Sean Peisert, Chuck McParland, and Anna Scaglione
Functional Security Enhancements for Existing SCADA Systems
INTERACTION WITH OTHER PROJECTS
• TCIPG Specification-based IDS for the DNP3 Protocol.
• CEDS project with Lawrence Berkeley National Lab (LBNL).
• Design methodology for Hybrid Control NIDS (HC-NIDS).
– Each hybrid state corresponds to specific values for the switches
and specific ranges for the current, voltage, temperature, etc.
– Transitions between hybrid states are triggered by physical changes
and commands.
– Network packets, flowing between field devices and central
controllers, should only produce “allowed” transitions and “allowed”
hybrid states.
– HC-NIDS continuously monitors and analyzes the network traffic
exchanged by field devices that are used to activate the protection
schemes.
– HC-NIDS Rule generation commands and information
exchanged must be consistent with the protection hybrid automaton
model.
1. Simulink model:
simulation of the
physical
application.
2. C MEX S-function:
allows
communication
through the
Modbus TCP
protocol.
3. Emulation of the
protection function
in Ladder logic.
Validation Testbed
Example: Overcurrent Protection
q0
CB1 = 0CB2 = 0
I < I p
M = 1
N < 1
q1
CB1 = 0CB2 = 0
I < I p
M = 0S = 1
N < 2
N = 1
q3
N = 2
CB1 = 0CB2 = 0
I < I p
M = 1S = 0S = 0
N < 3
CB1 = 0CB2 = 0
I < I pM = 0S = 1
q5
M = 1
N < 1
M = 0S = 1
N < 2
N = 1 N = 2
M = 1S = 0S = 0
N < 3
M = 0S = 1
q6 q7
q2
N < 3& I < I p
CB1 = 1 CB1 = 1 CB1 = 1 CB1 = 1CB2 = 1CB2 = 1CB2 = 1CB2 = 1
I = 0 I = 0 I = 0 I = 0
N < 3& I = 0q4
N < 4
N < 4
N = 3& I ≥ I p
N = 3& I < I p
N = 3& I = 0
N = 3&0 < I < I p
N = 4/ r eset
N = 4/ r eset
Simulink model Hybrid Automaton
."."." ."."."
Injected network t raffic
Normal network trafficNormal network
t rafficNormal network
t rafficNormal network
t raffic
• The different data items of the
different controllers have different
colors.
• Source ID/Destination ID,
function code, register, and
value range (set) are different.
• The normal sequence is green-
light green-blue-turquoise.
• Red packets are not part of it, so
they are anomalies.
Arrows indicate phenomena that
can be identified as attacks, since
the switches’ state (CB) and
current are not in the right
combination.
Cyber-Physical Analytics
Network tap
HC-NIDS
values
Cyber-Physical
Process Control
Data Analytics
Physical values
Historian
RESEARCH RESULTS (CON’T)
RESEARCH RESULTS