The Design of ICS Testbed Based on Emulation,Physical,and Simulation(EPS-ICS Testbed)

Haihui Gao, Yong Peng, Zhonghua Dai, Ting Wang

Technical Assessment Research Lab CNITSEC

Beijing, China e-mail: gaohh@itsec.gov.cn

Kebin Jia College of Electronic Information and Control

Engineering Beijing University of Technology

Beijing, China e-mail: kebinj@bjut.edu.cn

Abstract—This paper begins with a discussion of the role and value of industrial control system (ICS) testbed which apply a universal, controllable, realistic, and repeatable experimental platform to SCADA control system cybersecurity research. According to ICS layered architecture, ICS testbed based on emulation, physical, and simulation (EPS-ICS Testbed) is designed and implemented. EPS-ICS Testbed enables experimenters to create experiments with varying levels of fidelity and is widely used in vulnerability digging, comprehensive security training, facilitate development of security standards, develop advanced control system architectures and technologies that are more secure and robust.

Keywords-Industrial Control System(ICS); Network Testbed;Cyberspace Security; Supervisory Control And Data Acquisition (SCADA);Cyber-physical system

I. INTRODUCTION Industrial control system (ICS) are widely used in

industries areas like electricity, petroleum and petrochemical, aviation, railway, water treatment, and they have become the brain and backbone to the operation of these national critical infrastructures[1].Due to the increased connectivity to Internet and corporate network, ICS are no longer immune to cyber attacks. In 2010, the “stuxnet” worm incident further sounded the alarm for the seriousness and reality of ICS cybersecurity[1][2].

In order to better understand how to protect ICS systems[3-5], it is important to conduct cybersecurity research to identify and mitigate existing vulnerabilities. However, the security testing and evaluation on these real/existing ICS systems are limited because of its always-on services and risk of failure. Therefore, a key problem in the research and development of security solutions for the ICS system is the lack of proper experimental platform to evaluate the security of the ICS system [2]. Establishment of ICS testbed has become an urgent demand.

The EPS-ICS Testbed is discussed and designed in this paper. It uses a combination of emulation, physical, and simulation techniques to provide configurable fidelity. Only using physical devices in core research components, the other components using emulation or Simulation. It has greatly reduced the cost of creating a full model of an ICS

system, avoid the low fidelity, and realization of the unity of research purposes and construction costs.

The architecture of ICS is described in section II. In section III, we compare the different construction techniques of ICS testbed. In Section IV, we present the architecture and main components of our EPS-ICS Testbed. The experimental results and conclusions in the last section.

II. COMMON ICS ARCHITECTURES According to the ANSI/ISA-99 reference model,

common ICS architectures is shown in Fig.1[6][7]:

Figure1. ICS Reference Model

A. Level 3 – Corporate Network This level belongs to traditional IT category, general

deployment of services such as FTP, websites, mail servers, ERP system and OA system, etc. It is described as “Business Planning and Logistics” in the ANSI/ISA-95 standards, is defined as including the functions involved in the business-related activities needed to manage a manufacturing organization.

2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing

978-0-7695-5120-3/13 $26.00 © 2013 IEEE

DOI 10.1109/IIH-MSP.2013.111

420

2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing

978-0-7695-5120-3/13 $26.00 © 2013 IEEE

DOI 10.1109/IIH-MSP.2013.111

420

B. Level 2 – Supervisory Control LAN This level includes the functions involved in monitoring

and controlling the physical process, general deployment of services such as HMI, engineering workstation, and historian.

C. Level 1 – Control Network This level includes the functions involved in sensing and

manipulating the physical process. Process control equipment is similar. It reads data from sensors, executes a control algorithm, and sends an output to a final element (e.g., control valves or damper drives). Level 1 equipment includes, but is not limited to: DCS controllers, PLCs, and RTUs.

D. Level 0 – I/O Network Level 0 is the actual physical process. Level 0 includes

the sensors, actuators, and controlled process/controlled object directly connected to the process and process equipment.

III. CONSTRUCTION METHODOLOGY OF THE ICS TESTBED

According to the different construction methodology, ICS testbed is divided into the following three categories.

A. The physical testbed constructed by replication methodology The construction of such testbed is a copy of the real

system using the same physical devices and information systems, such as the DOE-OE Control Systems Security National SCADA Testbed(NSTB).It is obvious that building a ICS testbed identical to the real system is highest fidelity but cost prohibitive.

B. The software (virtual) testbed constructed by modeling methodology Difference from the physical testbed constructed by

replication methodology, the software testbed uses modeling methodology for construction, instead of using physical devices and information system. There is a diverse body of literature which studies the modeling of ICS processes using Matlab, Modelica, and Ptolemy simulation tools with simulated network models using ns2, OMNet++,SSFnet [10-16].These approaches are low fidelity with the use of virtual devices. For the purpose of cyber security testing and evaluation for ICS systems, model-based experiments offer a richer class of scenarios. However, Software models of the devices and system are typically not available or, if available, lack features related to cyber security analysis.

C. The hybrid testbed constructed by both replication and modeling methodology Hybrid testbed integrates the methodology of replication

and model. It realizes the unity of research mission and construction costs. An effective method to create a ICS security experimentation platform is via a hybrid testbed. Our EPS-ICS Testbed and LVC testbed[17] designed by Vincent Urias belongs to hybrid testbed.

The characteristics of three kinds of methodology are shown in table 1.

TABLE I. TABLE1 THE CHARACTERISTICS OF METHODOLOGY

Methodology Fidelity Cost Time

The software (virtual) testbed constructed by modeling methodology

low low low

The hybrid testbed constructed by both replication and modeling methodology

The physical testbed constructed by replication methodology

high high high

IV. THE DESIGN AND IMPLEMENTATION OF EPS-ICS TESTBED

The EPS-ICS Testbed framework is shown in Fig.2 and has three main components: network testbed, physical devices, and Matlab/Smulink. Our methodology enables the creation of a ICS system using emulated, physical devices ,and simulated in a single EPS-ICS Testbed.

Figure2. The framework of EPS-ICS Testbed

Using the ICS reference model presented in the previous Figure1, level 3 and level 2 of ICS layered architecture using emulation methodology with our network testbed which

421421

similar to Emulab[18]. Level 1 of ICS layered architecture using replication methodology with physical devices. Level 0 of ICS layered architecture using the mathematical model of controlled process with Matlab/Smulink.

A. EMULATED Network testbed , such as Emulab, DETERlab and

PlanetLab, giving researchers a wide range of environments in which to develop, debug, and evaluate their systems[19].

We design a network testbed for corporate network(level 3) and supervisory control LAN (level 2)emulation. Our network testbed allows experimenter to specify an arbitrary network topology, giving experimenter a controllable, predictable, and repeatable environment, including PC nodes on which experimenter have full "root" access, running an operating system of experimenter choice.

B. PHYSICAL Control network(level 1) is core layer of ICS reference

model. level 1 equipments include DCS controllers, PLCs, RTUs, and industrial Ethernet protocol which are the focus of information security research. Therefore, we use physical devices to build the control network in order to achieve high-fidelity and meet research missions.

C. SIMULATED I/O Network(level 0) is the actual physical process. Level

0 includes the sensors, actuators, and controlled process(steam boiler, water tank, and heat exchanger, etc.).We use Matlab/Smulink to design a variety of mathematical models of controlled process for I/O Network.

The mathematical models of controlled process refer to the function relationship of production process input and output. Equation (1) is as follow:

( ) ( ) ( )( )tftuFy ,t = (1)

Where u(t) are control variables, f(t) are disturbance variables, and y(t) are controlled variables. Controlled variables are also known as the output variables, such as temperature, pressure, flow, level, etc. Control variables are also known as the input variables. When there are multiple input variables, select one or several as control variables, the other input variables as disturbance variables.

D. INTERFACE Using EPS-ICS Testbed for building ICS allows the

experimenter to replicate the interactions between the ICS components. The ICS components, such as the corporate network and the controllers, can be implemented as simulation, emulation, or physical components with the interface discussed in this section.

The core function of interfaces between network testbed and physical devices is to implement IP routing. It may be a router or layer 3 switch.

As shown in Fig.3, the interfaces between physical devices and Matlab/Smulink mainly implemented by the PCI modules. PCI modules complete data exchange between Matlab/Smulink model and external controller.

xbuax

dtdx +=

u y

Figure3. The interfaces between physical devices and Matlab/Smulink

V. EXPERIMENTAL RESULT AND CONCLUSION EPS-ICS Testbed goes on-line, the experimental results

are shown in Fig.4:

(a) Network testbed

(b) physical devices and the mathematical models of controlled process

Figure4. The experimental results of EPS-ICS Testbed

HMI’s host and Engineer’s host in Fig.4(a) belong to Supervisory Control LAN(level 2) and Web Servers belongs to the Corporate Network(level 3). The physical devices in Fig.4(b) belong to the Control Network(level 1). The mathematical models of controlled process in Fig.4(b) belong to I/O Network(level 0).

In this paper, we have developed an hybrid ICS testbed comprised of emulated, physical, and simulated components(EPS-ICS Testbed). EPS-ICS Testbed enables higher fidelity representations of key computing applications or network devices while still leveraging the scalability and cost advantages of simulation tools.

EPS-ICS Testbed provides a experimental platform to assess cyber-attack scenarios with varying levels of fidelity, examine effects of zero-day attacks, explore SCADA-specific protocols, applications and devices, and examine effects of patches and un-patched systems. Our EPS-ICS

422422

Testbed also provides a rich training environment to learn and test how to respond to potential cyber-attacks.

The further effort of the thesis is to design a variety of attack scenarios and execute security assessment demonstration experiment.

REFERENCES [1] Yong Peng,Changqing Jiang,Feng Xie et al., Study on the research

progress of industrial control system cybersecurity. Journal of Tsinghua University 2012, 52 10 :1396-1408

[2] Carlos Queiroz, Abdun Mahmood, Jiankun Hu, et al.,Building a SCADA Security Testbed. NSS-Network and System Security,2009: 357-364

[3] Bessani, A., et al., The Crutial Way of Critical Infrastructure Protection. Security & Privacy, IEEE, 2008. 6(6): 44 51.

[4] Brundle, M. and M. Naedele, Security for Process Control Systems: An Overview. Security & Privacy, IEEE, 2008.6(6): 24-~29.

[5] Dzung, D., et al., Security for industrial communication systems. Proceedings of the IEEE, 2005. 93(6):1152~1177.

[6] Moses D. Schwartz, John Mulder, Jason Trent, et al., Control System Devices: Architectures and Supply Channels Overview, SANDIA REPORT(SAND2010-5183),2010.8:11~12

[7] ISA, ANSI/ISA–99.00.01–2007 Security for Industrial Automation and Control Systems Part 1:Terminology, Concepts, and Models, International Society for Automation, 2007.10.

[8] Smith Brian P., Stewart E. John,and Halbgewachs Ron,etc. Cyber security interoperability - The Lemnos project.53rd ISA POWID Symposium ,2010,483:50~59.

[9] National SCADA Test Bed http://www.oe.energy.gov/nstb.htm [10] Alefiya Hussain and Saurabh Amin. NCS Security Experimentation

using DETER.Proceedings of the 1st ACM International Conference on High Confidence Networked Systems(HiCoNS'12 -),2012:73-79.

[11] Varga A. The OMNeT++ discrete event simulation system[C]// Proceedings of the European Simulation Multiconference (ESM’2001).Prague, Czech Republic:The European Multidisciplinary Society for Modelling and Simulation Technology(EUROSIS), 2001: 319-324.

[12] The LEGO Group,Lego Mindstroms NXT[Z/OL]. (2012-07-03), http://mindstorms.lego.com.

[13] D. C. Bergman. Power grid simulation, evaluation, and test framework. Master’s thesis, University of Illinois at Urbana-Champaign, Urbana, Illinois, May 2010.

[14] DavisC, TateJ, OkhraviH, et al. SCADA Cyber Security Testbed Development[C]//the 38th North American in Power Symposium, 2006 (NAPS 2006)., USA: IEEE Press, 2006: 483-488.

[15] A. T. Al-Hammouri, M. S. Branicky, and V. Liberatore.Co-simulation tools for networked control systems. In Proceedings of the 11th international workshop on Hybrid Systems: Computation and Control, HSCC ’08, pages: 16–29, Berlin, Heidelberg, 2008. Springer-Verlag.

[16] Alefiya Hussain and Saurabh Amin.NCS Security Experimentation using DETER. Proceedings of the 1st international conference on High Confidence Networked Systems,2012:73~80.

[17] Vincent Urias, Brian Van Leeuwen, and Bryan Richardson. Supervisory Command and Data Acquisition (SCADA) system Cyber Security Analysis using a Live,Virtual, and Constructive (LVC) Testbed. 2012 IEEE Military Communications Conference,2012.11.

[18] B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad,M. Newbold, M. Hibler, C. Barb, and A. Joglekar. An Integrated Experimental Environment for Distributed Systems and Networks. In Proc. of the 5th Symp. on Operating Systems Design and Impl. (OSDI), pages 255–270, Boston, MA, Dec. 2002.

[19] http://www.emulab.net

423423