READ THIS Smart Grid Security

7/29/2019 READ THIS Smart Grid Security

1/117

SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEM

SECURITY ISSUES AND COUNTER MEASURES

Raksha Sunku Ravindranath

B.E., Visveswaraiah Technological University, Karnataka, India, 2006

PROJECT

Submitted in partial satisfaction of

the requirements for the degree of

MASTER OF SCIENCE

in

COMPUTER ENGINEERING[use all caps]

at

CALIFORNIA STATE UNIVERSITY, SACRAMENTO

FALL[all caps]

2009


2/117

ii

[Project Approval Page]

SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEMSECURITY ISSUES AND COUNTER MEASURES

A Project

by


Approved by:

__________________________________, Committee Chair

Dr Isaac Ghansah

__________________________________, Second Reader

Dr. Jing Pang

____________________________

Date


3/117

iii

Student: Raksha Sunku Ravindranath

I certify that this student has met the requirements for format contained in the University format

manual, and that this project is suitable for shelving in the Library and credit is to be awarded for

the Project.

__________________________, Graduate Coordinator ________________

Dr. Suresh Vadhva Date

Department of Computer Engineering


4/117

iv

abstracts for some creative works such as in art or creative writing may vary somewhat, check

with your Dept. Advisor.]

Abstract

of

SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEM

SECURITY ISSUES AND COUNTER MEASURES

by


This project discusses security issues, countermeasures and research issues in the Supervisory

Control And Data Acquisition (SCADA) system. SCADA system is used in power sector for

controlling and monitoring industrial processes. The major components in the SCADA system are

master terminal unit, remote terminal unit and the communication link connecting them.

Protocols used in this communication link are DNP3 (Distributed Network Protocol version 3.0)

and Modbus. Vulnerabilities in these components lie in policy, procedure, platform and protocols

used. Countermeasures for these vulnerabilities are deployment of firewalls, intrusion detection

system, wrapping protocols in secure layers, enhancing protocol structure etc. Some of these

countermeasures do not provide complete security and hence requires more research. A number

of issues that require more research are also recommended.

_______________________, Committee Chair

Dr Isaac Ghansah

_______________________

Date


5/117

v

DEDICATION

Om Sai Ram

This project is dedicated to my lovely parents S.K Ravindranath, Asha Ravindranath, my dearly

brother Raghav Kishan S.R., and my inspirational grandparents Adinarayana Gupta and Latha

Gupta.


6/117

vi

ACKNOWLEDGMENTS

It is a pleasure to thank everybody who helped me in successfully completing my Masters

Project.

First, my sincere thanks to my project supervisors, Dr. Isaac Ghansah, Professor, Computer

Science and Engineering, and Dr. Jing Pang, Associate Professor, Department of Electrical and

Electronic Engineering and Computer engineering, for giving me an opportunity to work under

their guidance, and for providing me constant support throughout the project.

I am also very grateful to Dr. Suresh Vadhva, Graduate Coordinator, Department of Computer

Engineering, for his invaluable feedbacks and suggestions.

My special thanks to my friend Vinod Thirumurthy who helped me in reviewing this report.

I would like to take this opportunity to acknowledge and appreciate the efforts of California State

University, Sacramento for its facilities and providing a good environment for the students to

prosper in their academic life.

Last but not least, I would like to thank my parents, S.K Ravindranath and Asha Ravindranath,

and my brother Raghav Kishan S.R. for their moral and financial support. I am very grateful for

their continuous support and never ending encouragement that they have provided throughout my

life.


7/117

vii

[This Table of Contents covers many possible headings. Use only the headings that apply to

your thesis/project.]

TABLE OF CONTENTS

Page

Dedicationv

Acknowledgments........................................................................................................................... vi

List of Tables ................................................................................................................................. xii

List of Figures ............................................................................................................................... xiii

List of Abbreviations ..................................................................................................................... xv

Chapter

1 INTRODUCTION ..................................................................................................................... 1

1.1 Introduction To SCADA .................................................................................................... 2

1.2 SCADA System Components And Functions .................................................................... 4

1.3 Literature Review ................................................................................................................ 7

1.4 Conclusion .......................................................................................................................... 9

2 SCADA SYSTEM REQUIREMENTS AND THREATS ....................................................... 10

2.1 Requirements In A SCADA System ................................................................................. 10

2.2 Threats To SCADA Network ............................................................................................ 13

3 MASTER TERMINAL UNIT AND REMOTE TERMINAL UNIT VULNERABILITIES

AND COUNTERMEASURES ................................................................................................ 16

3.1 Introduction ....................................................................................................................... 16

3.2 Vulnerabilities In The SCADA System ............................................................................ 17

3.2.1 Public Information Availability ............................................................................... 21

3.2.2 Policy And Procedure Vulnerabilities ...................................................................... 22

3.2.3 Platform Vulnerabilities ........................................................................................... 24


8/117

viii

3.2.3.1 Platform Configuration Vulnerabilities......................................................... 24

3.2.3.1.1 Operating System Related Vulnerabilities ..................................... 25

3.2.3.1.2 Password Related Vulnerabilities ................................................. 25

3.2.3.1.3 Access Control Related Vulnerabilities ......................................... 26

3.2.3.2 Platform Software Vulnerabilities ................................................................ 26

3.2.3.2.1 Denial Of Service ............................................................................ 26

3.2.3.2.2 Malware Protection Definitions Not Current And Implemented

Without Exhausting Testing ........................................................... 27

3.3 Countermeasures For MTU And RTU Security Issues .................................................... 27

3.3.1 Counter measures For Policy And Procedure Vulnerabilities ................................ 28

3.3.2 Regular Vulnerability Assessments ........................................................................ 28

3.3.3 Expert Information Security Architecture Design .................................................. 29

3.3.4 Implement The Security Features Provided By Device And System Vendors ....... 29

3.3.5 Establish Strong Controls Over Any Medium That Is Used As A Backdoor Into

The SCADA Network ............................................................................................. 30

3.3.6 Implement Internal And External Intrusion Detection Systems And Establish

24-hour-a-day Incident Monitoring ........................................................................ 30

3.3.7 Conduct Physical Security Surveys And Assess All Remote Sites Connected

To The SCADA Network ....................................................................................... 31

3.3.8 Firewalls And Intrusion Detection System ............................................................. 31

3.3.9 Electronic Perimeter ................................................................................................ 32

3.3.10 Domain-Specific IDS ............................................................................................ 33

3.3.11 Creating Demilitarized Zones (DMZs) ................................................................ 34

3.3.12 Low Latency And High Integrity Security Solution Using Bump In The Wire

Technology For Legacy SCADA Systems .......................................................... 35


9/117

ix

4 DISTRIBUTED NETWORK PROTOCOL 3 VULNERABILTIES AND

COUNTERMEASURES .......................................................................................................... 39

4.1 Introduction To SCADA Communication Network ........................................................ 39

4.2 Some General Vulnerabilities In SCADA Network ........................................................ 41

4.3 SCADA Communication Protocols ................................................................................. 42

4.4 DNP3 Protocol ................................................................................................................. 42

4.4.1 Introduction To DNP3 Protocol ............................................................................. 42

4.4.2 DNP3 Communication Modes ................................................................................ 44

4.4.3 DNP3 Network Configurations ............................................................................... 44

4.4.4 DNP3 Data Link Layer ........................................................................................... 46

4.4.5 DNP3 Protocol LayerPseudo Transport Layer ................................................... 48

4.4.6 DNP3 Protocol LayerApplication Layer ............................................................. 48

4.5 DNP3 Protocol Vulnerabilities And Attacks .................................................................. 50

4.6 Countermeasures For Enhancing DNP3 Security ........................................................... 55

4.6.1 Solutions That Wrap The DNP3 Protocols Without Making ChangesTo The Protocols .................................................................................................... 55

4.6.1.1 SSL/TLS Solution .................................................................................... 56

4.6.1.2 IPSec (secure IP) Solution ....................................................................... 57

4.6.2 Enhancements To DNP3 Applications................................................................... 57

4.6.3 Secure DNP3 .......................................................................................................... 60

4.6.4 Distributed Network Protocol Version 3 Security (DNPSec) Framework............. 62

4.7 Comparison Of DNP3 Countermeasures ......................................................................... 65

5 MODBUS PROTOCOL VULNERABILITIES AND COUNTERMEASURES ................... 67

5.1 Introduction To Modbus Protocol .................................................................................... 67


10/117

x

5.2 Protocol Specifics ............................................................................................................ 69

5.3 Modbus Serial Protocol ................................................................................................... 71

5.4 Modbus TCP protocol ...................................................................................................... 72

5.5 Vulnerabilities And Attacks In Modbus Protocol ............................................................ 73

5.5.1 Serial Only Attacks .............................................................................................. 73

5.5.2 Serial And TCP Attacks ........................................................................................ 74

5.5.3 TCP Only Attacks ................................................................................................. 75

5.6 Countermeasures For Enhancing Modbus Security ......................................................... 76

5.6.1 Secure Modbus Protocol ........................................................................................ 76

6 RESEARCH ISSUES .............................................................................................................. 89

6.1 Performance Requirements Of SCADA Systems ............................................................ 89

6.2 Authentication And Authorization Of Users At The Field Substations ........................... 89

6.3 Enhancing The Security Of Serial Communication ......................................................... 90

6.4 Access Logs For The IEDs In Substations ..................................................................... 90

6.5 Attacks From Which Side Channel Information Can Be Obtained ................................. 90

6.6 Timing Information Dependency ..................................................................................... 91

6.7 Software Patches Update ................................................................................................. 91

6.8 Intrusion Detection Equipment For The Field Devices And The Control Systems ......... 92

6.9 Authentication Of The Users To Control System Equipment ......................................... 92

6.10 Legacy Systems With Limited Processing Power And Resources ................................ 92

6.11 Roles To Be Defined In The Control Center ................................................................. 93

7 CONCLUSION ........................................................................................................................ 94

7.1 Summary .......................................................................................................................... 94


11/117

xi

7.2 Strengths and Weaknesses ............................................................................................... 96

7.3 Future Work ..................................................................................................................... 97

References ...................................................................................................................................... 98


12/117

xii

LIST OF TABLES

Page

Table 3-1: List Of Potential And Present Vulnerabilities In MTU And RTUs.............................. 21

Table 4-1: Comparison Of Security Approaches ........................................................................... 59

Table 4-2: New Functions Codes Introduced To Support The Secure DNP3 Protocol ................. 62

Table 5-1: Functions Codes In A Modbus Protocol Frame ........................................................... 70

Table 5-2: Exceptions Functions Codes For Modbus Protocol ..................................................... 70

Table 5-3: Comparison Of Communication Latency ..................................................................... 83

Table 5-4: Comparison Of Packet Size .......................................................................................... 83

Table 5-5: Communication Latency With Modbus And Secure ModbusMaster Scan Rate Of 500ms And A Connection Timeout Of 1200ms ........................ 87

Table 5-6: Modbus/TCP And Secure Modbus/TCP Packets Size, Tested With

Different Functions ....................................................................................................... 87

Table 5-7: Communication Latency In The Different Communications Steps ............................. 88


13/117

xiii

LIST OF FIGURES

Page

Figure 1-1 : Conceptual Smart Grid Architecture ........................................................................... 2

Figure 1-2: SCADA An Integral Component Of Smart Grid .......................................................... 3

Figure 1-3: SCADA System Components ....................................................................................... 4

Figure 3-1: Security Vulnerabilities Pattern .................................................................................. 18

Figure 3-2: Interconnected SCADA Network ............................................................................... 20

Figure 3-3: Basic Functions Of SCADA Security Policy .............................................................. 28

Figure 3-4: Firewall And Intrusion Detection System Implementation Between Enterprise

And SCADA Control System ..................................................................................... 32

Figure 3-5: Electronic Perimeter Implementation In SCADA System .......................................... 33

Figure 3-6: Demilitarized Zones Architecture ............................................................................... 34

Figure 3-7: Model For Bump In The Wire Approach .................................................................... 35

Figure 3-8: (a) YASIR Transmitter (b) Communication Link (c) YASIR Receiver ..................... 37

Figure 4-1: Modern SCADA Communication Architecture .......................................................... 40

Figure 4-2: DNP3 Network Configurations ................................................................................... 45

Figure 4-3: Design Progression From OSI To DNP3 .................................................................... 46

Figure 4-4: DNP3 Protocol Data link Layer Frame Structure ....................................................... 47

Figure 4-5:DNP3 Pseudo-Transport Message Fields ..................................................................... 48

Figure 4-6:DNP3 Application Message ......................................................................................... 50

Figure 4-7: Threat Categories For DNP3 ....................................................................................... 51


14/117

xiv

Figure 4-8: Protocol Stack(Gray-background protocols are secured alternatives) ........................ 56

Figure 4-9: Authentication Using Authentication Octets .............................................................. 58

Figure 4-10: Message Sequence In Challenge-Response Mode .................................................... 61

Figure 4-11: Message Flow In Aggressive Mode .......................................................................... 61

Figure 4-12: DNPSec Protocol Structure ....................................................................................... 63

Figure 4-13: DNPSec Request/Response Link Communications .................................................. 64

Figure 5-1: Modbus Protocol And ISO/OSI Model Comparison .................................................. 67

Figure 5-2: Modbus Communication Stack ................................................................................... 68

Figure 5-3: Modbus Protocol Frame Format ................................................................................. 69

Figure 5-4: Modbus Serial Architecture ........................................................................................ 71

Figure 5-5: Modbus TCP Architecture .......................................................................................... 72

Figure 5-6: Secure Modbus Application Data Unit ....................................................................... 78

Figure 5-7: Modbus Secure Gateway ............................................................................................ 79

Figure 5-8: Secure Modbus Module .............................................................................................. 81

Figure 5-9: SCADA Test bed Developed To Verify Secure Modbus Protocol ............................. 82

Figure 5-10: High Level Secure Survivable Architecture.............................................................. 85

Figure 5-11: Filtering Unit Prototype ............................................................................................ 86


15/117

xv

LIST OF ABBREVIATIONS

SCADA: Supervisory control and data acquisition

MTU: Master Terminal Unit

RTU: Remote Terminal Unit

DNP3: Distributed network protocol

SSL: Secure Socket Layer

TLS: Transport Layer Security

PLC: Programmable Logic Controller

IED: Intelligent Electronic Device

LAN: Local Area Network

PSTN: Public Switched Telephone Network

DHS: Department of Homeland Security

CSSP: Control Systems Security Program

NCSD: National Cyber Security Division

INEEL: Idaho National Engineering and Environmental Laboratory

NERC: North American Electric Reliability Council

CIP: Critical Infrastructure Protection

NIST: National Institute of Standards and Technology

PCSRF: Process Control Security Requirements Forum

PCSF: Process control system forum

IDS: Intrusion Detection Systems

DNS: Domain Name Service

FERC: Federal Energy Regulatory Commission


16/117

xvi

DRP: Disaster Recovery Plan

DoS: Denial of Service

IEC: International Electro technical Commission

EPA: Enhanced Performance Architecture

CRC: Cyclic Redundancy Check

ICV: Integrity Check Value

HMAC: Hash-based Message Authentication Code

ASCII: American Standard Code for Information Interchange

PDU: Protocol Data Unit

MBAP: Modbus application protocol

NTP: Network Time Protocol

YASIR: Yet Another SecurIty Retrofit

BITW: Bump In The Wire

DMZ: Demilitarized Zones


17/117

1

Chapter 1

INTRODUCTION

Presently the electric industry consists of a more centralized, producer- controlled network. The

transformation of this network to a more decentralized and consumer interactive network is the

Smart grid [1]. The need for smart grid has surfaced because the demand for power has been

increasing constantly. With the introduction of the smart grid, consumers will be empowered to

manage their energy usage in a more efficient and economical way. Smart grid will also allow

increase in the productivity and efficiency of how the power in delivered as well as improving

power reliability [1].

In addition to this, smart grid technology allows us to overcome the challenges such as increasing

power demand, aging utility infrastructure, and environmental impact of greenhousegases

produced during electric generation. With the deployment of smart grid, power can be used in a

more effective manner and also the carbon content in the environment can be reduced drastically.

Another advantage is reduction in the investment in primary equipment. Thus the main focus is to

make the grid more automated in order to provide the above functionalities. Figure 1-1 is a

conceptual architecture of the smart grid. Components named as generators, central power plant,

isolated microgrid in the figure are all connected through a Supervisory control and data

acquisition(SCADA) architecture [1].


18/117

2

Figure 1-1 : Conceptual Smart Grid Architecture [30]

1.1 Introduction To SCADA

In addition to being used in electrical power system, SCADA is also used in other critical

infrastructures such as oil and gas refining systems, water supply, transportation. Critical

infrastructures that do not necessarily use the SCADA system we are discussing here include

telecommunications, banking and finance, emergency services etc. Clearly, critical infrastructure

is one of the most important factors supporting a nation's life. The figure 1-2 gives a high level

view of Smart grid and shows where the SCADA system lies in it. The enterprise, control center,

field area network and substation are all part of the SCADA architecture [1].


19/117

3

Figure 1-2: SCADA As An Integral Component Of Smart Grid [29]

SCADA systems are widely deployed in Critical Infrastructure industries where they provide

remote supervisory and control. SCADA consists of automated processes developed to assist in

the management and control of the electrical power grid. SCADA consists of complex

interconnected control, which adds challenges to deliver secure and reliable service. The basic

function of a SCADA system is to monitor and control equipments that are responsible for

delivering power. Extended functionality of SCADA is fault detection, equipment isolation and

restoration, load and energy management, automated meter reading, and substation control. The

SCADA systems used today by the utilities were developed and deployed many years ago. At that

time there was no internet, public or private network. Hence, the only security threat was physical

destruction of the systems. With the introduction of equipment automation and deregulation,

SCADA systems needed to have some kind of interconnected network. The need for the remote

connections to these control devices exposed the network to a completely new set of

vulnerabilities [2].


20/117

4

1.2 SCADA System Components And Functions

SCADA is a congregation of independent systems that measure and report in real time both local

and geographically remote distributed processes. It is a combination of telemetry and data

acquisition that enables a user to send commands to distant facilities and collect data from them.

Telemetry is a technique used in transmitting and receiving data over a medium. Data acquisition

is a method of collecting the data from the equipment being controlled and monitored. The layout

and functions of the SCADA system is discussed in this section [3].

Figure 1-3: SCADA System Components [4]

As shown in the figure 1-3, the fundamental components of the SCADA control system are the

master terminal unit, communication network and the remote terminal units. The supervisory

control and monitoring station, also called as the master terminal unit (MTU) consists of


21/117

5

engineering workstation, human machine interface, application servers, and communications

router. The master terminal unit issues commands to distant facilities, gathers data from them,

interacts with other systems in the corporate intranet for administrative purposes, and interfaces

with human operators. The master terminal unit has full control on the distributed remote

processes. Commands sent from the MTU to distant facilities can be done either manually using a

human machine interface or by automation [4].

A human machine interface program runs on the master terminal unit computer. This basically

consists of a diagram which mimics the whole plant, making it easier to identify with the real

system. Every input/output point of the remote systems can be represented graphically with the

current configuration parameters being displayed. Configuration parameters such as trip values

and limits can be entered onto this interface. This information will be communicated through the

network and downloaded onto the operating systems of the corresponding remote locations which

would update all the values. A separate window with a list of alarms set up in the remote station

network can also be displayed. The window displays the alarm tag name, description, value, trip

point value, time, date and other important information. Trend graphs can also be displayed.

These graphs show the behavior of a certain unit by logging values periodically and displaying it

in a graph. If any abnormal behavior of the unit is seen then the appropriate actions can be taken

at the right time [4].

The remote sites in figure 1-3 are known as field sites. The field site basically consists of so

called field instrumentation, which are devices that are connected to the equipment or machines

being controlled and monitored by the SCADA system. The devices include sensors to monitor

certain parameters and actuators for controlling certain modules of the system. Other devices in

the field sites are controllers, pulse generators etc [4].


22/117

6

These devices convert physical parameters to electrical signals which are readable by the remote

station equipment. The outputs can be read in either analog or digital form. Generally voltage

outputs have fixed levels like 0 to 5V, 0 to 10V etc. Voltage levels are transmitted when sensors

are located close to the controllers and current levels are transmitted when they are located far

from the controllers. Digital reading can be used to check if the system has been enabled or

disabled i.e. in operation or out of operation. Actuators help in sending out commands to the

equipment, i.e. turn on and off the equipment [4].

The field instrumentation we just described is interfaced with a controller called remote terminal

unit (RTU) or programmable logic controller (PLC). Both of them basically consist of a computer

controller which can be used for process manipulation at the remote site. They are interfaced

with the communication system connected to the master terminal unit (MTU). The PLC has very

good programmability features while RTUs have better interfaces to the communication lines.

The advancement in this area is the merging of PLC and RTU to exploit both the features. Hence

the overall function of this architecture is that the MTU communicates with one or more remote

RTUs by sending requests for information that those RTUs gather from devices, or instructions to

take an action such as open and close valves, turn switches on and off, etc [4].

An intelligent electronic device (IED) is a protective relay and communicates with the remote

terminal unit. A number of IEDs can be connected to the RTU. They are all polled and data is

collected. IEDs also have a direct interface to control and monitor sensory equipment. IEDs have

local programming thats allows it to act without commands from the control center. This makes

the RTU more automated and even the amount of communication with the MTU is reduced [4].

Communication medium used between MTU and RTU vary from wired networks such as public

switched telephone network to using wireless or radio networks. The MTU and the administrative

systems are connected in a LAN (Local Area Network). In the communication medium between


23/117

7

MTU and RTU, the most commonly used protocols are distributed network protocol (DNP3) and

Modbus. DNP3 is an open standard and a relatively new protocol. The older systems use the

Modbus protocol. DNP3 and Modbus have been adopted by a number of vendors which support

the SCADA system. Both the DNP3 and Modbus protocols have been extended to be carried over

TCP/IP. Also connected to the control system discussed above, is an enterprise network. This

connectivity provides decision makers with access to real time information and allowing

engineers to monitor and control the control system [4].

The above architecture has number of vulnerabilities. The MTU and RTUs are connected via

internet, public switched telephone network (PSTN), cable or wireless. The most common

security issue in all the above communication networks is eavesdropping. Wireless and internet

are prone to replay attacks, denial of service attacks etc. Outside vendors, consumers, and

business partners can carry out attacks on this architecture since they are connected to the

enterprise network through internet connection shown in figure 1-3. Hence, these entities have

indirect access to the MTU since the enterprise network is connected to the control system.

Remote stations have communication interface which allows field operators to communicate via

wireless protocol or remote modem to perform maintenance operations. These operations are

done using handheld devices. When an unauthorized person gets access to this handheld device,

they could cause harm to the system. There are several more security issues in this architecture

and will be covered in this project [4].

1.3 Literature Review

In this section, we discuss work done on SCADA systems by other organizations and various

ways in which they are looking at security issues.

Critical infrastructure protection is of prime importance since it directly affects the citizens.

Department of Homeland Security (DHS) is responsible for infrastructure protection [5]. Two


24/117

8

security programs, Control Systems Security Program (CSSP) of the National Cyber Security

Division (NCSD) were formed by the DHS. Their main task was identifying, analyzing, and

reducing cyber risks in control systems.

The Idaho National Engineering and Environmental Laboratory (INEEL) along with Sandia

National laboratory have created a SCADA test bed. The test bed consists of functional power

grid and wireless test bed. The test bed is used to validate all the developed protocols before

deploying into the real environment. The center for SCADA security has been formed in Sandia

National Laboratory where research, training, red teams, and standards development takes place.

Researchers at Sandia recently developed and published a SCADA Security Policy Framework

[6] which ensures all critical topics have been adequately addressed by specific policy.

Standard bodies such as NIST (National Institute for Standards and Technology), and NERC

(North American Electric Reliability Council) also work in addressing the control system

security. NERC has finalized cyber security standards [7] that will establish the requirements for

security management programs, electronic and physical protection, incident reporting, and

recovery plans, and the National Institute of Standards and Technology (NIST) through its

Process Control Security Requirements Forum (PCSRF) has defined a set of common security

requirements for existing and new control systems for various industries [8] [9].

Process control system forum (PCSF) founded in February 2005 has a mission to accelerate the

design, development, and deployment of more secure control and legacy systems that are crucial

to securing critical infrastructures. Many more organizations carry out lot of research work on

security SCADA systems. This project covers present and potential security issues in the SCADA

system. It also discusses few countermeasures which have been verified on the test bed developed

by the some of the above organizations [5].


25/117

9

1.4 Conclusion

SCADA architecture facilitates the smart grid to meet its goals in a number of ways. For instance,

suppose the power requirements of industrial area is at its peak during the daytime and not so

much during the night time. In this case the utility can communicate to the SCADA network in

the power generation units to reduce the amount of power generated during down times. This

results in better utilization of power, reduction of the greenhouse effects and the carbon content in

the environment. Because hackers and disgruntled employees can also send such a signal to the

SCADA network, potentially causing instabilities in the power grid or send false signals, it is

important to research on the security issues in SCADA architecture so that it can be corrected.

The core of this project is to understand the SCADA architecture and find the current and

potential security vulnerabilities. The project also covers the counter measure techniques that can

be applied to combat these security issues. Research issues that still need to be explored are also

discussed in this project. Chapter 2 describes the requirements in a SCADA system and the

threats to SCADA system. Chapter 3 discusses about the master terminal unit and remote

terminal unit security issues and countermeasures. Chapter 4 and 5 discuss security issues and

countermeasures for DNP3 and Modbus communication protocols. Chapter 6 discusses the

research issues that still need more work on in order to provide good security. Chapter 7 gives the

conclusion, strengths, weaknesses and future work.


26/117

10

Chapter 2

SCADA SYSTEM REQUIREMENTS AND THREATS

This chapter discusses the various requirements of a SCADA system that need to be satisfied

while developing security solutions. The threats faced by the SCADA system are also listed in

this chapter.

2.1 Requirements In A SCADA System

In order to find the security concerns in the present SCADA system and also develop security

measures it is important to learn about the requirements in a SCADA system [10]. The following

is a list of considerations when looking into the security of SCADA system

1. Some sections in the SCADA network are time critical systems. They can have anacceptable amount of delay and jitter but if they are not met it might hamper the

operation of the network. Also few sections in the architecture need deterministic inputs.

An example of deterministic system is digital systems which can have input values of

only 0 or 1 i.e. turn on or off the system. These performance requirements are highly

important for the normal operation of the network [10].

2. The availability SCADA system is extremely important. They should be available in atimely manner so that it doesnt hamper the processes which are continuous in nature.

Unexpected outages of these systems are not acceptable in the industrial control system.

Reason being it will cause a chain reaction and disturb a whole set of operating processes

and can bring down the system. In order to make sure that such an incident doesnt occur,

it is important to carry out the pre-deployment testing essential to ensure high availability

of the system. When unexpected outages occur, many control systems cannot be easily

stopped and started without affecting production. In some cases, the products being


27/117

11

produced or equipment being used is more important than the information being relayed.

Therefore, strategies like rebooting the system would not be acceptable in few situations

because it may adversely affect the requirements of high availability, reliability and

maintainability of the SCADA system. One way to solve this is to have redundant

components installed and running in parallel, so that it will provide continuity when some

of the primary components are unavailable. Another advantage of this strategy is that

updating and maintaining the primary system can also be carried out since redundant

system can take over their functionalities for a period of time [10].

3. One of the most important requirements in any industrial system is managing risk.Human or personnel safety is of primary importance. Safety and fault tolerance would be

essential to prevent loss of life, endangerment of public health or confidence, loss of

equipment, loss of intellectual property, damage of products. Complying with regulatory

terms and conditions would help to satisfy the above concerns to a great extent. Also the

personnel who operate and maintain the SCADA system must understand the link

between safety and security. The personnel need to understand when security can be

compromised in order to provide safety [10].

4. In some architectures such as IT system it is important to protect the information whetherit is stored centrally or distributed. But in a SCADA system information that is stored and

processed centrally is more critical and needs more protection. For example information

stored in remote devices such as PLC, RTU are also important since they are directly

responsible for controlling the end processes. At the same time it is also equally

important to secure a SCADA systems central server because if it were compromised, it

would affect the edge devices also [10].


28/117

12

5. if it were compromised, it would affect the edge devices also.SCADA system comprisesof many complex interactions and these translate into physical events. Consequently, all

security functions integrated into the SCADA must be tested (e.g., off-line on a

comparable SCADA) to prove that they do not compromise normal SCADA functionality

[10].

6. Time critical responses on a SCADA system should be handled carefully. Requirement ofpassword authentication on the human machine interface might interfere with the actions

needed to be taken, for instance, during emergencies. At the same time information flow

must not be interrupted or compromised. Because of that access to these systems should

mainly be restricted by physical security controls [10].

7. There are a lot of resource constraints in SCADA systems. Real time operating systemsare often constrained systems. This results in difficulty to add lots of security features

into the system i.e. they have limited computational and memory resources. Since

retrofitting the new security capabilities will eat away the resources and might slow down

the systems thereby not satisfying the requirement of time criticality. Another concern is

that third party security solutions when introduced into the SCADA architecture might

clash with the vendor license agreement and hence result in loss of support for that

equipment from that vendor [10].

8. Maintaining the integrity of the SCADA system is of paramount importance. For e.g.unpatched software represents one of the greatest vulnerabilities to a system. Because of

the nature of SCADA system, it is very hard to update the software regularly. There are a

number of steps that need to be carried before the update can be done on the system.

Thorough testing of updates needs to be done in an environment which can emulate the

industrial process system. Backup systems can be configured so that it can replace the


29/117

13

primary systems during these updates. Revalidation of the updates must be carried out

before deploying it into the network. Sometimes there might be a case where the

operating system might no longer be supported by the vendor; hence patches may not be

useful for such systems. These updates on systems are also applicable to firmware and

hardware. This is one of the examples where integrity of the system might be

compromised. Hence this change in the management of the system must be thoroughly

assessed by engineers who have expertise in those areas before applied [10].

9. The lifetime of the components used in SCADA is often in the order of 15-20 years. Alsothe technology used here has been developed for very specific use. Hence when adding

security features care should be taken to ensure they remain effective and are available

over the entire lifetime of operation of the components [10].

2.2 Threats To SCADA Network

There are a number of threats to the SCADA network that can be classified into the following

categories [10].

Attackers: Attackers break into the network not to cause intentional harm but to explore

their hacking capabilities. There are attack scripts available on the internet for free and

can be used to attack the network. Hence even if the attacker does not have significant

amount of knowledge or skill, their actions can cause relative harm to the network. This

will not be harmful to the network if one person or few persons do it. However harm is

more likely when a large number of people are involved in hacking it. Also attacks tools

are readily available and have become so easy to use they pose a significant amount

threat to the SCADA network. It can cause brief disruption in the normal operation and

result in serious damage [10].


30/117


31/117

15

worms which are spread in the network and cause harm to files and hard drives can result

in very serious impact [10].

Terrorist Groups: These groups can cause harm to such large extent that it can result in

disrupting the daily life of people. They seek to destroy, incapacitate, or exploit the

network in order to threaten the national security, cause deaths, weaken the economy, and

to damage public morale and confidence. They use strategies such as causing harm on

one system so that attention can be diverted and then cause harm on other systems which

are not concentrated on during that time [10].


32/117

16

Chapter 3

MASTER TERMINAL UNIT AND REMOTE TERMINAL UNIT VULNERABILITIES AND

COUNTERMEASURES

3.1 Introduction

SCADA system works with the corporate environment though it was originally designed to

operate as an individual unit. The core intention of the control system design is efficiency and

security. Another commonly observed activity with SCADA providers is the remote accesses to

perform routine maintenance jobs. Communication protocols of the SCADA are designed with

minimal security features. These above mentioned design and behavioral patterns are reasons for

the security weakness of the SCADA system. These vulnerabilities in a critical infrastructure

make it very susceptive to cyber attacks. Adversaries would be able to identify these

vulnerabilities and execute attacks. The effects of those attacks and their consequences are

discussed further below [10].

Physical impacts: Physical impacts consist of direct consequences of SCADA

disoperation. The potential effects of paramount importance include personal

injury or loss of life. Other effects include the loss of property (including data)

or damage to the environment.

Economics impacts: Economics impacts follow a physical impact from a cyber

intrusion. The ripple effect of physical impact could in turn cause a severe

economic loss on the facility or companies. Bigger impact of this would be

negative effect on the local, national or even the global economy.


33/117

17

Social impact: The consequence of physical and economic damage would be

loss of public confidence and national confidence in the organization. This is

generally overlooked, however its a very real target and one that can be

accomplished through cyber attacks. Social impacts may possibly lead to

heavily depressed public confidence or the rise of popular extremism.

Because of the prevalent security threats and the corresponding magnitude of the consequence,

various organizations are carrying out study and research to combat attacks on the SCADA. The

intention is also to make a more secure SCADA system for future. In the following sections, the

master terminal unit and remote terminal unit platform vulnerabilities will be discussed.

Additionally, how these loop holes are being introduced and the effects on exploiting them are

covered here.

3.2 Vulnerabilities In The SCADA System

Figure 3-1 shows the security vulnerabilities pattern from 1995 to first half of 2003. The

exponential increase in vulnerabilities is due to the increased accessibility of the SCADA system

to the outside world [4].


34/117

18

Figure 3-1: Security Vulnerabilities Pattern [4]

Source: GAO analysis based on Carnegie-Mellon Universitys CERT Coordination Center data

A general misconception about the SCADA system is The SCADA system resides on a

physically separate, standalone network. [11] Historically, most of the SCADA systems were

built before the other components of the network and it was separate from the rest of the network

as well, this has lead the IT managers to believe that these systems cannot be accessed from

corporate network or from the remote access point. Unfortunately, this belief is usually fallacious.

In reality the scenario is quite different, the SCADA network and the corporate networks are

more often bridged (Figure 1-3) due to recent changes in the information management practices.

The two changes that play key role are discussed in detail below

The first change is the growing demand for remote access computing which has

encouraged many utilities to establish connections to the SCADA system that

enables the SCADA engineers to remotely monitor and control the system from

points on the corporate network [11].


35/117

19

The second main reason is information access to assist corporate decision. Many

utilities have allowed corporate connections to the SCADA systems, as it would

make instant access to critical information and operational status easier for the

higher management and corporate decision making processes [11].

The second false belief that is at large about the SCADA system is Connection between SCADA

systems and other corporate networks are protected by strong access control. [11] Many of the

interconnections between corporate networks and SCADA systems require the integration of

systems with different communications standards. This results in an infrastructure that is

engineered to move data successfully between two unique systems. Complexity arising from

integrating disparate systems overshadows the need to address the security risks that accompany

such network arrangements. As a result, access controls designed to protect SCADA systems

from unauthorized access through corporate networks are usually minimal, which is mainly due

the fact that the network managers often overlook key access points connecting these networks.

Strategic use of internal firewalls and intrusion detection systems (IDS), coupled with strong

password protection, is highly recommended [11].

The third misconception is SCADA systems require specialized knowledge, making it difficult for

the network intruders to access and control the SCADA system. [11] The reason behind this

misconception is an assumption that the intruders need to possess in-depth knowledge about the

SCADA design and implementation. These assumptions are inappropriate in the current utility

environment which is highly interconnected and vulnerable to cyber attacks. The figure 3-2 below

shows the highly interconnected SCADA network.


36/117

20

Figure 3-2 : Interconnected SCADA Network [33]

Utility companiesbeing the one of the key components of the nations critical infrastructure is a

hot target for cyber terrorists as opposed to disorganized hackers. These attackers are highly

motivated, well-funded and may very well have insider knowledge about the system. Further, a

well equipped attacker with a sole intention to disrupt of operation of the SCADA will gain a

detailed understanding of the SCADA and its vulnerabilities by any means.

The following sections list the various vulnerabilities of the SCADA system. Some of the listed

ones are which are already present in the SCADA system while some are potential vulnerabilities.

The table 3-1 lists all the vulnerabilities and show if they are already present in the system or are

potential vulnerabilities.


37/117

21

Vulnerability Potential/ Currently present in

SCADA system

Public Information Availability Present Vulnerability

Policy and Procedure vulnerabilities Potential Vulnerability

Platform Configuration vulnerabilities Potential Vulnerability

Table 3-1: List Of Potential And Present Vulnerabilities In MTU And RTUs

3.2.1 Public Information Availability

Often, too much information about a utility company corporate network is easily available

through routine public queries. This information can be used to initiate a more focused attack

against the network [11]. Examples of this vulnerability are listed below:

Websites often provide data useful to network intruders about company structure, employee

names, e-mail addresses, and even corporate network system names

Domain name service (DNS) servers permit zone transfers providing IP addresses, server

names, and e-mail information

The availability of this infrastructure and vulnerability data was demonstrated earlier this year by

a George Mason University graduate student, whose dissertation reportedly mapped every

business and industrial sector in the American economy to the fiber optic network that connects

themusing material that was available publicly on the Internet, none of which was classified

[4]. Many of the electric utility officials who were interviewed for the National Security

Telecommunications Advisory Committees Information Assurance Task Forces Electric Power


38/117

22

Risk Assessment expressed concern over the amount of information about their infrastructure that

is readily available to the public.

In the electric power industry, open sources of informationsuch as product data and educational

videotapes from engineering associationscan be used to understand SCADA of the electrical

grid. Other publicly available informationincluding filings of the Federal Energy Regulatory

Commission (FERC), industry publications, maps, and material available on the Internetis

sufficient to allow someone to identify the most heavily loaded transmission lines and the most

critical substations in the power grid [11].

In addition, significant information on control systems is publicly availableincluding design

and maintenance documents, technical standards for the interconnection of control systems and

RTUs, and standards for communication among control devicesall of which could assist

hackers in understanding the systems and how to attack them. Moreover, there are numerous

former employees, vendors, support contractors, and other end users of the same equipment

worldwide with inside knowledge of the operation of control systems [11].

3.2.2 Policy And Procedure Vulnerabilities

Some of the potential vulnerabilities in the SCADA system as discussed by NIST (National

Institute of Standards and Technology) in one of its papers presented on Guide to Industrial

Control Systems Securities have been listed below [10]

1. Inadequate security policy for the SCADA: Vulnerabilities are often introduced intoSCADA due to inadequate policies or the lack of policies specifically for control system

security [10].


39/117

23

2. No specific or documented security procedures were developed from the security policyfor the SCADA: Specific security procedures should be developed and employees trained

for the SCADA. They are the roots of a sound security program [10].

3. Absent or deficient SCADA equipment implementation guidelines: Equipmentimplementation guidelines should be kept up to date and readily available. These

guidelines are an integral part of security procedures in the event of an SCADA

malfunction [10].

4. Lack of administrative mechanisms for security enforcement: Staff responsible forenforcing security should be held accountable for administering documented security

policies and procedures [10].

5. No formal SCADA security training and awareness program: A documented formalsecurity training and awareness program is designed to keep staff up to date on

organizational security policies and procedures as well as industry cyber security

standards and recommended practices. Without training on specific SCADA policies and

procedures, staff cannot be expected to maintain a secure SCADA environment [10].

6. Inadequate security architecture and design: Control engineers have historically hadminimal training in security and until relatively recently vendors have not included

security features in their products [10].


40/117

24

7. Few or no security audits on the SCADA: Independent security audits should review andexamine a systems records and activities to determine the adequacy of system controls

and ensure compliance with established SCADA security policy and procedures. Audits

should also be used to detect breaches in SCADA security services and recommend

changes, which may include making existing security controls more robust and/or adding

new security controls [10].

8. No SCADA specific continuity of operations or disaster recovery plan (DRP): A DRPshould be prepared, tested and available in the event of a major hardware or software

failure or destruction of facilities. Lack of a specific DRP for the SCADA could lead to

extended downtimes and production loss [10].

9. Lack of SCADA specific configuration change management: A process for controllingmodifications to hardware, firmware, software, and documentation should be

implemented to ensure an SCADA is protected against inadequate or improper

modifications before, during, and after system implementation. A lack of configuration

change management procedures can lead to security oversights, exposures, and risks [10].

3.2.3 Platform Vulnerabilities

3.2.3.1 Platform Configuration Vulnerabilities

Earlier SCADA hardware, software, and network protocols were proprietary and not made

publicly accessible, making it more difficult for the hackers to attack the system as they did not

have knowledge about the system. However with growing competition and drive to perform

better and reduce cost has led organizations to make a transition from proprietary systems to


41/117

25

standardized technologies such as Microsofts windows, UNIX operating systems and common

networking protocols used by the internet. As a consequence of using standardized solutions, we

have increased number of people with knowledge to wage attacks. The following is list of

vulnerabilities that could be potential threats to SCADA platform configuration [10].

3.2.3.1.1 Operating System Related Vulnerabilities

Since standard operating systems can be used off the shelf, it is a viable solution for the

organizations in terms of cost. However, there are numerous vulnerabilities associated with these

standard operating systems. Customized operating system is needed to meet the complexity of the

SCADA system. Developing patches to the standard operating system in order to meet SCADA

requirements might take a considerable amount of time. The period, during which the patch

development is taking place, the SCADA system with just the standard OS is prone to attacks.

These patches must go through exhaustive testing before they are deployed in the system, else

they will compromise the normal operation of the SCADA. Critical configurations are not stored

or backed up. Therefore in case of an emergency or outages these systems cannot be restored with

same secured configurations [10].

3.2.3.1.2 Password Related Vulnerabilities

The common password vulnerabilities (some might not apply to SCADA) are lack of adequate

password policy, password disclosure, password guessing. Password policies define when

passwords need to be used, how strong they must be and how they must be maintained. Password

disclosure relates to passwords being kept confidential. Password guessing relates to the

vulnerabilities introduced into the system when poorly chosen passwords are used.

Some of the above might be potential vulnerabilities in the SCADA system. For e.g. if systems do

not have appropriate passwords then they could provide unauthorized access to the system.


42/117

26

Therefore a password policy is required. Some of the potential vulnerabilities in SCADA system

with respect to password disclosure are usage of unencrypted passwords and sharing passwords.

The policy should make sure that the passwords maintain their confidentiality [10].

Potential vulnerabilities can also be introduced into the system when passwords are poorly

chosen, usage of default password, and passwords that are not changed over a period of time.

Passwords must be implemented on all SCADA components but at the same time should ensure

that password authentication does not hamper emergency actions [10].

Some of the methods to combat these issues are with the usage of biometrics which will

authenticate the personnel with retinal scanning, finger print scanning, voice recognition etc. If all

these critical systems were kept in a particular secure enclosure installed with equipped with

cameras and video surveillance could track all the activities [10].

3.2.3.1.3 Access Control Related Vulnerabilities

Inadequately specified access control would result in SCADA user having too many or too few

privileges. The following exemplify each case: Consider a system that is configured to default

access control settings, this gives any operator the system administrative privileges. Second

scenario would be a system, which is improperly configured, could leave an operator with not

enough access rights to take corrective actions under emergencies [10].

3.2.3.2 Platform Software Vulnerabilities

3.2.3.2.1 Denial Of Service

Cyber-attacks that are based on denial of service (DoS) mechanisms, and others that spread due to

viruses and worms by causing a traffic avalanche in short durations, can potentially bring down

systems and cause a disruption of services and are known as Flood-based Cyber Attack Types.


43/117

27

There is no well-known, fool-proof, defense against such cyber attacks in the computing

literature. Various effective ad- hoc solutions have been adopted on traditional computer

networks. If the access links that connect the SCADA network to the Internet are swamped by

heavy traffic caused by such attacks, it could prove disastrous as the control and supervisory data

(including alarms, IED data) flowing to the SCADA network could be lost in the network. The

gateway or firewalls installed to monitor the incoming traffic could be overloaded by the large

volumes of attack traffic. Thus the ability of the SCADA network to respond to actual failures

can be significantly affected. Also, the traffic flood could contain malicious messages that could

confuse the SCADA systems to a great extent [13].

3.2.3.2.2 Malware Protection Definitions Not Current And Implemented Without Exhausting

Testing

The presence of malicious software can result in system performance degradation, loss of vital

data and system dysfunctional behaviors [10]. The above issues can be avoided by the installation

of anti malware. But when this anti virus software is outdated or not thoroughly tested then same

software would cause more damage than protect the system. The reason is that the same

vulnerabilities are again present in the system but at the same time gives the operator a false sense

of security and therefore keeping him unaware of the problem. The SCADA operator will reside

under the confidence that anti virus is operational and is protecting the system.

3.3 Countermeasures For MTU And RTU Security Issues

As discussed in the previous section (specify section), the security issues in the master terminal

unit and remote stations lie mostly within the platform and policy. In this chapter we discuss

various ways to overcome these security issues.


44/117

28

3.3.1 Counter measures For Policy And Procedure Vulnerabilities

Figure 3-3 is used to implement the security policies and procedure. The structure encompasses

all the security features that need to be covered in a security policy [12].

Figure 3-3: Basic Functions Of SCADA Security Policy [12]

Each block in the above chart and their functionality is described below. Detail documented list

of the overall security architecture of a system is in a security plan. Some areas covered in the

security plan are policies and procedures for operational security, user and data authentication,

backup policies etc. The implementation guide details on how the above security plans needs to

be implemented, where are all the relevant areas in the entire architecture, where it needs to be

implemented etc. Configuration management will include all the configuration details listed for

every equipment and all the relevant security policies that apply to them. Enforcement and

auditing makes sure that security policies, plan and implementation for each of the equipment is

done correctly and also maintained correctly [12].

3.3.2 Regular Vulnerability Assessments


45/117

29

All the SCADA equipment has to be regularly assessed to check and see if there is an abnormal

operations taking place. These assessments must be done in a regular basis and should be

recurring. Along with the operational units, the other components of SCADA like the corporate

network, data base servers, local desktop computers used for customer management should be

assessed so that any unseen security gaps in this system can be overcome and increase protection

[13].

3.3.3 Expert Information Security Architecture Design

There are best practices that can be used to overcome most the security issues in the network.

Also a number of new technologies have been developed to combat vulnerabilities such as

malware attacks, unauthorized access to system. When these are installed into the system the

configuration should be such that there are no gaps. If they are not configured correctly then it

would not help to solve the issue. If the solution selected is not relevant to the security issue that

needs to be solved then it would be a waste in investment. In order to minimize these risks the

utility companies much hire security experts who can understand the architecture of the network

and propose solutions that exactly overcome the loop hole and does not introduce newer security

issues [13].

3.3.4 Implement The Security Features Provided By Device And System Vendors

Older SCADA networks did not have many security features to protect the system. The utility

companies which own the SCADA networks must ask the vendor to provide security patches to

the existing and system and also produce newer system with enhanced security features. Also

factory default security features should not be used because their intent is to provide excellent

usability and provide the minimum amount of security. When the default settings are being


46/117


47/117

31

3.3.7 Conduct Physical Security Surveys And Assess All Remote Sites Connected To The

SCADA Network

Automated systems in the SCADA network are most susceptible to attacks since they are

unmanned and unguarded. An inventory of all access points and carrying out physical security

checks regularly will help to keep a check on any new security issues. Identify and assess any

source of information including remote telephone/computer network/ fiber optic cables that could

be tapped; radio and microwave links that are exploitable; computer terminals that could be

accessed; and wireless local area network access points. Eliminate any points of failure. Prevent

unauthorized access to the websites within the enterprise intranet since they provide access to the

SCADA system [13].

3.3.8 Firewalls And Intrusion Detection System

Threats to SCADA network can come from malicious attackers via the internet and hence it is

important to monitor the traffic that flows into it. It is important that firewalls and other Intrusion

Detection Systems (IDS) (figure 3-4) be installed at the various ingress points (gateways) of the

SCADA network to identify malicious traffic before it is allowed to enter [14] [15]. This will

filter out some of the attacks but not all. Hence more rigorous scheme needs to be implemented to

overcome the attacks that still manage to flow through. Viruses and worms could swamp the

systems with huge volumes of attack traffic. Just having only firewalls and IDS at entry points

may not suffice. This leads to the concept of the electronic perimeter.


48/117

32

Figure 3-4: Firewall And Intrusion Detection System Implementation Between Enterprise And

SCADA Control System [15]

3.3.9 Electronic Perimeter

Traffic flowing from outside sources reaches the gateway where a firewall restricts malicious

packets and allows the rest to flow through. The traffic that flows through might still have some

malicious packets which could harm the system. Beyond this gateway there is not much filtering

that takes place and hence it is important to define and electronic perimeter (figure 3-5) broader

so that it filtering takes place once before data reaches the gateway [14]. This perimeter can be

formed by multiple intrusion detection systems installed on a wider area. Huge volumes of traffic

can be handled by an extended perimeter as it would be possible to stop the attacks further away

from the SCADA network. This provides a number of advantages of providing an overlay


49/117

33

network in a more distributed and collaborative fashion. It also provides a barrier that always only

legal traffic through.

Figure 3-5: Electronic Perimeter Implementation In SCADA System [31]

3.3.10 Domain-Specific IDS

The above-mentioned methods i.e. intrusion detection systems installation and electronic

perimeter make a baseline protection to provide normal system behavior. In addition, a

perspective on an intrusion can be developed by analyzing emerging characteristics. SCADA data

can be analyzed in order to look for such patterns. To identify these patterns it is important to

have some basic knowledge which is domain specific and also associated with communication

devices to construct an IDS attacks signature database. It would require intense analysis of the

interconnected grid in order to identify the attack patterns and study them and then generate


50/117

34

signatures. However, once this is achieved, the observed behavior needs to be correlated to detect

potential intrusions and filter the attack traffic [14]. Hence IDS with these signatures and the

secure electronic perimeter can be made to work in a synchronized manner to combat the security

issues posed by malware.

3.3.11 Creating Demilitarized Zones (DMZs)

Demilitarized Zones created using firewalls can protect the SCADA network [33]. Multiple

DMZs can be created to separate functionalities and access previleges such as peer to peer

connections, the data historian, security servers, configurations servers etc. The figure 3-6 below

shows the creation of DMZs.

Figure 3-6: Demilitarized Zones Architecture [33]

All the connections can be routed through firewalls and administrators keep a diagram of the

local area network and its connections to protected subnets, DMZs, the corporate network, and


51/117

35

the outside. Multiple demilitarized zones help from attacks such as virtual LAN hopping, trust

exploitation. Brings in a better security posture [33].

3.3.12 Low Latency And High Integrity Security Solution Using Bump In The Wire

Technology For Legacy SCADA Systems

The legacy SCADA systems, deployed without security in mind, are vulnerable to sniffing and

tampering issues today. The risk is increasing because security through obscurity is failing to

protect the system. Achieving security requires a solution, which can retrofit into the legacy

SCADA system. One such solution is Yet Another SecurIty Retrofit (YASIR) which is a bump

in the wire (BITW) solution for retrofitting security to time-critical communications in serial-

based SCADA systems [32]. The goals are to provide high security, low latency, at comparable

cost and using standard and patent free tools.

Figure 3-7: Model For Bump In The Wire Approach [32]

In the figure 3-7, the function of device denoted as S applied on message M which results in

frame F. At the receiving end the function of device denoted as D is applied on the message

received F. The output of the SCADA device D is a message or error. Device D takes a frame F

as input and output an error, if Ffails to pass certain conformance checks such as the random-

error detection, or else the corresponding original message M. Ideally, i.e. without the


52/117

36

introduction of errors in the communication link the output from SCADA device D would be D

(F) = D (F) = D(S (M)) = M.

BITW solution adds to more modules i.e. transmitter T and receiver R. Output from the

transmitter over the insecure link would be T (F) = F~. Receiver R modeled as a function R that

takes in a transformed frame F~ and outputs either an error, or the corresponding original frame

F to be given to D. If no error was introduced into F~ then R(F~) = R(F~) = R(T(F)) = F

because F~ = F~. This provides data authenticity and discards messages from replay attacks.

The design of transmitter and receiver in YASIR approach is as follows. The transmitter applies

the encryption algorithm AES-CTR-128 on the frame F thereby providing confidentiality and

integrity for the message. Then a time stamp and a unique sequence number is appended to the

message for data authenticity and freshness. This solution also provides low latency by using the

AES-CTR algorithm. The transmitter relies on the stream nature of the AES-CTR. As and when

each byte of the frame F comes in, it will apply the encryption. There is an internal counter,

which keeps a count of every 4 bytes in frame F. Once whole message is received it will use the

HMAC on the cipher text and internal counter. An iterative HMAC function is used which

reduces the storage requirements and has lesser latency [32]. The steps are shown below.

1.Input frame F = s||H||P||e , s and e are special symbols indicating the start and end offrame. H is the header and P is payload.

2.CTXT = ENCRYPT (ctrT, H||P), ENCRYPTek is AES-CTR-128, ctrT is the counter.3.MAC = HMAC (ctrT ||CTXT), CTXT is cipher text from step 2 and HMAC is HMAC-SHA-

1-96.

4.SEQ = ctrT, SEQ is the sequence number.


53/117

37

Therefore, there is not much delay except for time needed to decode symbols and frame

boundaries. The transmitter design is as follows. The input frame is decrypted and hash is

calculated. The steps are

1.MAC = HMAC(ctrR||CTXT),2.H'||P= ENCRYPT(ctrR,CTXT),3.If MAC = MAC then output the frame F = s||H||P||e. and increment ctrR by 1.4.If the calculated hash value does not match then report an error.

The figure 3-8 below describes the above steps with respect to latency. Shaded boxes indicate

values computed by the YASIR components. As shown in the figure in the receiver end the

frame structures are different for type I and type II protocols. Type I protocols are those which do

not have header information like Modbus. Type II protocols are those which have header

information [32].

Figure 3-8: (a) YASIR Transmitter (b) Communication Link (c) YASIR Receiver. [32]


54/117

38

The above solution has to be tested in a real deployment of SCADA system and development of a

cost effective FPGA is underway [32].


55/117

39

Chapter 4

DISTRIBUTED NETWORK PROTOCOL 3 VULNERABILTIES AND

COUNTERMEASURES

4.1 Introduction To SCADA Communication Network

In this chapter we now concentrate on how vulnerabilities are introduced in the SCADA

architecture from the communication perspective. The MTU and RTU use communication

medium ranging form wired medium to Wireless mediums. The protocols used for these

communications are discussed in this chapter. The protocol structures, vulnerabilities present in

the protocol and the countermeasures for each are discussed in the chapters 4, 5.

Development of SCADA architecture dates back to the 1900s when telemetry was introduced.

Telemetry involves the transmission and collection of data obtained by real time sensing

applications. As discussed in the introduction chapter, the basic architecture of SCADA consists

of receiving the data collected in the remote stations to the central processing station. The master

computers (MTUs) provide the information such as meter readings and equipment status to

human operators in a presentable form and allow the human operators to control the field

equipments or control devices automatically. The MTU initiates almost all communication with

remote sites [16].

The master terminal units basically consisted of mainframe computers which would present the

data to the human operator and they have to make the decisions to carry out the next steps. The

older SCADA networks were built to provide reliability and operability. Hence the MTU would

send commands over a 1200 baud communication line and the function of the RTU was to only


56/117

40

execute the command and sense the new data and send it back to the MTU. The RTU units had no

local intelligence and hence just served the master [16].

With the advent of new communication technologies and communication medium the slower

communication channels in the older networks were starting to get replaced with the new

technologies. Hence getting rid of the slower communication lines and making the RTU more

intelligent increased SCADA networks overall processing power. The RTU was made more

intelligent with the introduction of the IED (intelligent electronic devices). IEDs are capable of

autonomously executing simple logic processes without involving the master computer. Hence

the RTU devices would provide a number of functionalities locally e.g. system protection (say,

from power surges), local operation capabilities, and data gathering/concentration from other

subsystems. The figure 4-1 gives an insight into the modern SCADA architecture [16]

Figure 4-1: Modern SCADA Communication Architecture [16]


57/117

41

The misconception of SCADA network managers that the SCADA system cannot be accessed via

the corporate network was proved wrong with the introduction of the modern SCADA

architecture. The figure 4-1 also shows that the field data (obtained using RTUs and IEDs) is

transmitted over a wide range of communication lines and can even be accessed via a web

browser to SCADA users. Communication between various units in the architecture use Ethernet

or the internet technology. Hence they introduced the vulnerabilities which were inherent in

desktop computers on corporate networks [16].

4.2 Some General Vulnerabilities In SCADA Network

SCADA network infrastructure has been ever growing with modifications being introduced very

often to satisfy business and operational requirements. During this time there was very little

importance given to the security gaps introduced into the network. If these gaps are not filled,

then they could result in compromising the SCADA architecture to a number of attacks. It is

important to have a network architecture design which can differentiate between or segment the

networks into corporate, internet and SCADA network. It should not be so weak that if there is

an attack on the internet part of the architecture then it would affect and hence compromise the

SCADA network [16]. Some common architectural weaknesses are introduced when

1. The configuration of the web and email servers are not done correctly and henceunnecessarily provides internal corporate access.

2. Firewall protection, Intrusion detection system, Virtual Private Network not used whenconnecting to the network of the corporate partners

3. Dial-up modem access is authorized unnecessarily and maintenance dial-ups often fail toimplement corporate dial access policies


58/117

42

When the SCADA system fails, there should be backup devices which can be used to restore the

functions of SCADA. By bringing the system back into operation system availability is not

hampered and hence preventing loss of data. There should be documentation of all these

procedures so that it would be easier to use the backup systems in case of failure of primary

systems in emergency situations [16].

There are number insecure connections in the SCADA network e.g. ports used for maintenance of

SCADA system, examination of the SCADA system, obtaining remote access to the system etc.

Since these links are unprotected with the absence of authentication or encryption it is highly

susceptible to attacks and hence results in compromise of the integrity of data transmitted [16].

4.3 SCADA Communication Protocols

The SCADA systems are built using public or proprietary communication protocols which are

used for communicating between an MTU and one or more RTUs. The SCADA protocols

provide transmission specifications to interconnect substation computers, RTUs, IEDs, and the

master station. The two most common protocols used are:

DNP3 (Distributed Network Protocol version 3.0)

Modbus

4.4 DNP3 Protocol

4.4.1 Introduction To DNP3 Protocol

DNP3 or Distributed Network Protocol Version 3.3 is a telecommunications standard that defines

communications between master stations, remote telemetry units (RTUs) and other intelligent


59/117

43

electronic devices (IEDs). It was developed to achieve interoperability among systems in the

electric utility [17].

DNP3 was created as a proprietary protocol by Harris Controls Division initially for use in the

electrical utility industry. In November 1993 the protocol was made available for use by third

parties by transferring its ownership to the DNP3 User Group. DNP3 was designed specifically

for SCADA (supervisory control and data acquisition) applications. These involve acquisition of

information and sending of control commands between physically separate computer devices. It

is designed to transmit relatively small packets of data in a reliable manner [17].

A key feature of the DNP3 protocol is that it is an open protocol standard and it is one that has

been adopted by a significant number of equipment manufacturers. The benefit of an open

standard is that it provides for interoperability between equipment from different manufacturers.

This means for example that a user can purchase system equipment such as a maste

Documents

READ THIS Smart Grid Security