Post on 14-Dec-2015
Tommy MorrisDirector, Critical Infrastructure Protection CenterAssistant ProfessorElectrical and Computer EngineeringMississippi State University
morris@ece.msstate.edu(662)325-3199
Cyber Security Considerations for Electric Power Systems
Electronic Security Perimeter
Is this system air-gapped?
No.
But… •it’s fiber optic.•we own the network.•we own the wireless network.
Electronic Security PerimeterIs this system air gapped?
What is this?•Leased line from phone company?•Does the utility sell BW to 3rd parties?
No.
Common configuration
DMZ
Enterprise Network
Control Room
Outstation
WWW
Can malware infect the control room or outstation?
DMZ
Enterprise Network
Control Room
Outstation
WWW
Yes
Can malware infect the control room or outstation?
DMZ
Enterprise Network
Control Room
Outstation
WWW
Yes
What about serial? RS-232/485
Stuxnet
Take aways
Industrial control system networks are not commonly air gapped..
Industrial control systems can be infected by malware.
An electronic security perimeter alone is insufficient protection.
Need a defense in depth approach.
Risk Assessment
Should considerlikelihood of attackcost of attackimpact of attack
Compared tocost of preventionlikelihood of prevention
ECE 8990 Smart GridMSU
Interruption (Denial of Service)
An asset of the system is destroyed of becomes unavailable or unusable
Attack on availabilityDestruction of hardwareCutting of a communication lineDisabling the file management systemMay not be physical destruction. May be temporary.
DOS Prevention Monitor and react
Monitor network traffic for DOS attacksClose offending portsIs it OK to close a network port in an ICS
network? Test devices for vulnerability
○ Protocol mutation (fuzzing)○ Known attacks○ Floods
Share results (ethically)Force vendor to patch
ECE 8990 Smart GridMSU
InterceptionAn unauthorized party gains access to an
assetAttack on confidentialityWiretapping to capture data in a networkIntercepting a password -> badIntercepting a password file -> worseIntercepting ICS data from an RTU. Is that
bad?
ECE 8990 Smart GridMSU
ECE 8990 Smart GridMSU
ModificationAn unauthorized party not only gains
access but tampers with an assetAttack on integrityChange values in a data fileAlter a program to make it perform
differentlyModify content of messages transmitted on
a network
man-in-the-middle (MITM)
ECE 8990 Smart GridMSU
ModificationModification in ICS -> very badFeedback control uses
○ sensors to monitor physical process○ Controllers to control the physical process.
Modifying measured output, measured error, system input, or reference affects system output.
ECE 8990 Smart GridMSU
ModificationNeed to defend the sensor.Need to defend the device which
measures error.Need to defend the controller.Need to defend the communication
network.
ECE 8990 Smart GridMSU
ECE 8990 Smart GridMSU
FabricationUnauthorized party inserts counterfeit objects
into the systemAttack on authenticityInsertion of spurious messages in a networkAddition of records to a fileICS – insertion of
spurious/unwanted/unauthorized controlICS – adding data to a historian
ECE 8990 Smart GridMSU
ECE 8990 Smart Grid
ICS Example
MSU
Phasor Measurement
Unit (PMU)
GPS Clock
Phasor Data Concentrator (PDC)
Phasor Measurement
Unit (PMU)
Phasor Measurement
Unit (PMU)
Energy Management
System
NetworkAppliance
Error measurement,
Controller
Network
Sensor, reference
reference
Network
Network
RESEARCH AT MSU
Network Intrusion Detection for Industrial Control Systems Physical
Wireless IDS Not much at this level
Network, Transport Detect well known attacks
○ Tear drop, LAND, port scanning, Ping Common protocol rules
○ TCP, IP, UDP, ICMP
Application Layer Detect protocol mutations Detect protocol specific DOS attacks Model Based IDS to detect system level attacks
○ measurement injection○ command injection○ system state steering
Physical
Data Link
Network
Transport
Application
Most of our work is here.
IDS Framework for Synchrophasor Systems Synchrophasor systems being installed across country by
utilities with ARRA grants Improved electric grid visibility
○ Detect disturbances sooner
Wide area protection○ React to disturbances quickly to limit outage
IEEE C37.118 - Synchrophasor Network Protocol Need to develop Snort rules to
Protect against IEEE C37.118 protocol mutation type attacks
Detect reconnaissance, DOS, command injection, and measurement injection attacks
Read Spraberry has identified approximately 36 rules and is writing and testing now.
IDS framework for MODBUS
Reviewed MODBUS specification and developed a fuzzing framework.
Using fuzzing framework to guide rule development.
○ Rules for specific frame types○ Function codes in frames define payload contents○ Rules based upon relationships between frames
query and response must match
○ Response special cases – exception framesmatch defined exceptions to query function code and error
types
50 rules in developmentSnort
IDS Framework
ICS network
1. Radio Discovery < 24 hrs.2. Infiltration < 30 days3. Data Injection or Denial of
Service Attack4. Broken Feedback Control
Loop
Example AttackWireless Link
SNORT Intrusion Detection for Industrial Control Systems
MTU
pump
relief
pipeline
RTU
control logic
Set PointSystem ModeControl SchemePump OverrideRelief OverridePID SetpointPID GainPID ResetPID RatePID DBPID CT
OutputPump StateRelief StatePressure
tap
•Detect Attacks• Command Injection• Measurement Injection• Reconnaissance• Denial of Service
Snort
Cybersecurity Testing and Risk Assessment for Industrial Control Systems
PMU
ABC
PDC
AB
Substation
Router
MU-4000
PC
RTDS
Bus
Histor-ian
Cybersecurity Testing and Risk Assessment for Industrial Control Systems
Denial of Service
Known attacks
High volume traffic
Protocol mutation
Device Security
Assessment
Security features
Standards conformance
Port scan
Vulnerability scan
Confidentiality, Integrity
Password confidentiality
Password storage
Man-in-the-middle
•Many vulnerabilities identified and communicated to vendor and project partner.•All addressed
• Firmware fixes• New security features• System architecture changes
CIPC Lab Growth
Continue to add systems Currently designing SCADA lab
upgrades to increase diversity and complexity.
Needs RTDS Expansion Achilles Satellite Security
Analyzer
Center for Computer Security Research
National Forensics Training Center
Critical Infrastructure Protection Center
Cyber Security Education
Information and Computing Security
Computer Crime and Forensics
Network Security and Cryptography
Industrial Control System Security
Advanced Network Security
Advanced Digital Forensics
Trustworthy Computing
Internet Security Protocols
Scholarship Programs
NSF Scholarship for Service
DOD Information Assurance Scholarship
National Center of Academic Excellence in Information Assurance EducationNational Center of Academic Excellence in Research
Research Partners
Identify vulnerabilities, implement attacks, investigate impact on physical systems.
Develop security solutions; system protection, intrusion detection, attack resilience
Train engineers and scientists for control systems security careers.
CyberSecurity
IndustrialControl
Systems
Critical Infrastructure Protection Center
Tommy MorrisAsst. Prof.
Director, CIPCIndustrial Control System Security
Ray VaughnV.P. Research
Giles Distinguished ProfessorSoftware Engineering and
Computer Security
Dave DampierProfessor
Director, CCSRComputer Forensics
Malingham RamkumarAssoc. Prof.
Trustworthy Computing
Yogi DandassAssoc. Prof.
Root Kit, Hypervisor Detection
Wesley McGrewResearch Associate
Human Machine Interface Security, Software Vulnerability
and Exploitation
Read SpraberyBS CPE
Jeff HsuBS EE
Uttam AdhikariPHD ECE
Wei GaoPHD ECE
Shengyi PanPHD ECE
David MuddMS ECE
Quintin GriceMS ECE
Joseph JohnsonBS EE
Lalita NetiMS ECE
Robert GosselinBS EE
Thank you!