Tommy MorrisDirector, Critical Infrastructure Protection CenterAssistant ProfessorElectrical and Computer EngineeringMississippi State University
[email protected](662)325-3199
Electronic Security Perimeter
Is this system air-gapped?
No.
But… •it’s fiber optic.•we own the network.•we own the wireless network.
Electronic Security PerimeterIs this system air gapped?
What is this?•Leased line from phone company?•Does the utility sell BW to 3rd parties?
No.
Common configuration
DMZ
Enterprise Network
Control Room
Outstation
WWW
Can malware infect the control room or outstation?
DMZ
Enterprise Network
Control Room
Outstation
WWW
Yes
Can malware infect the control room or outstation?
DMZ
Enterprise Network
Control Room
Outstation
WWW
Yes
What about serial? RS-232/485
Stuxnet
Take aways
Industrial control system networks are not commonly air gapped, though the control system engineers may think it is.
Industrial control systems can be infected by malware.
Electronic security perimeter alone is insufficient.
Need a defense in depth approach.
Network Intrusion Detection for Industrial Control Systems Physical
Wireless IDS Not much at this level
Network, Transport Detect well known attacks
○ Tear drop, LAND, port scanning, Ping Common protocol rules
○ TCP, IP, UDP, ICMP
Application Layer Detect protocol mutations Detect protocol specific DOS attacks Model Based IDS to detect system level attacks
○ measurement injection○ command injection○ system state steering
Physical
Data Link
Network
Transport
Application
MSU Tommy Morris
Relay RelayCT CT
Transmission LineNetwork
Short circuit
Router
Relay tripped
Causal Network Graphs for Intrusion Detection Map power system scenarios to a graph
withNodes representing a set of time ordered
measureable eventsMultiple existing sources of data Unique path through graph for each
scenario Classify events real time
Causal Network Graphs for Intrusion Detection – Case Study
Power system eventsOver current fault – high current -> open breakerRemote trip – operator remotely opens breaker for
maintenanceLocal trip at face plate – technician trips relay at the
face plate Cyber Events - threats
command injection attack to remotely trip the relayman-in-the-middle (MITM) attack on synchrophasor
system (I=0)man-in-the-middle (MITM) attack on synchrophasor
system (I>Itrip)
Measureable Events
Relaybreaker status
Energy Management System (EMS)Command from EMS to remote trip
Synchrophasor system measurementscurrent measurements (60 samples per
second) Snort network signatures
detect network message to trip the relay
Bayesian Network Graph ->Causal Event Graph
PMU@T1
Relay
PMU@T2
Snort EMS
IH, Sn, RT
IN, Sn, RTIH, Sn,
RT
Breaker open
Breaker closed
IN I0IH
IH, Sn, RT
fault
command injection
remote tripMITM IPMU>ITrip
Causal Event Graph Signatures
IH, Sn, RT
Breaker open
I0
1) Fault
IN, Sn, RT
Breaker open
I0
2) Command Injection
IN, Sn, RT
Breaker open
I0
3) Scheduled
Trip
I0, Sn, RT
Breaker closed
I0
4) MITM Attack I=0
IH, Sn, RT
Breaker closed
IH
5) MITM Attack I>ITrip
IN, Sn, RT
Breaker open
I0
6) Local Trip
time
Hand mapped the signatures to a custom intrusion detection program.
Laboratory Validation – proof of concept
B1 B2
R1 R2G1
BR1 BR2
L
L1
Attack Detection
Program
EMS logs
Snort Relay logs
Synchrophasor Measurements
•RTDS Simulation•Implemented each scenario•Data loggers to capture measurements•Offline intrusion detection program•Successful classification of all scenarios
Future Work Causal Event Graphs Scale to more realistic systems
Breaker and halfRelay coordinationExpanded relaying scheme support
Real time IDS Move from Boolean to probabilistic IDS Automate graph to IDS signatures Measure accuracy and computational
cost
EMS
PDC
Historian
Eng’gAnalysis
PMU
PDC
PMU
Transmission LineNetwork
PMU
PDC
PMU
PMU
*not shown (the 3 circuits above are part of an interconnection).
Syncrophasor System Equipment
Phasor Measurement Unit (PMU)Synchronized phasor measurements1uS synchronization, IEEE 1588, GPS3-phase voltage phasors, current phasor
Phasor Data Concentrator (PDC)Concentrate PMU streamsDetect missing dataInterpolate for missing data
IEEE C37.118 -> IEC 61850 90-5
Snort Rules for Synchrophasor Systems Synchrophasor systems being installed across
country by utilities with ARRA grantsImproved electric grid visibility
○ Detect disturbances sooner
Wide area protection○ React to disturbances quickly to limit outage
IEEE C37.118 - Synchrophasor Network Protocol Need to develop Snort rules to
Protect against IEEE C37.118 protocol mutation type attacks
Detect reconnaissance, DOS, command injection, and measurement injection attacks
Snort Rules for Synchrophasor Systems – Protocol Mutation
2 Frame Type Check
Stand-alone SYNC[0]{6:4} != (0, 1, 2, 3, 4)
10 Polar Range Multi-packet
ConfigFrame: (FORMAT[0]{1} == 0 && FORMAT[0]{0} == 1) && DataFrame: (PHASORS[0:1] (Polar angle) > 31,416) || (PHASORS[0:1] (Polar angle) < -31,416)
11 Data Framesize check
Multi-packet
EXPECTED FRAMESIZE != ACTUAL FRAMESIZE
Simple check – is this a legal frame?
Does the polar range in the data frame match the description in the configuration frame?
Does the frame size match the frame size calculated from examing the configuration frame?
Retrofit SNORT Intrusion Detection for Industrial Control Systems
MTU
pump
relief
pipeline
RTU
control logic
Set PointSystem ModeControl SchemePump OverrideRelief OverridePID SetpointPID GainPID ResetPID RatePID DBPID CT
OutputPump StateRelief StatePressure
tap
•Detect Attacks• Command Injection• Measurement Injection• Reconnaissance• Denial of Service
Snort
Snort Protocol Rules for MODBUS Reviewed specification and developed a
fuzzing framework. Using fuzzing framework to guide rule
development.○ Rules for specific frame types○ Function codes in frames define payload contents○ Rules based upon relationships between frames
query and response must match
○ Response special cases – exception framesmatch defined exceptions to query function code and
error types
Cybersecurity Testing and Risk Assessment for Industrial Control Systems
Denial of Service
Known attacks
High volume traffic
Protocol mutation
Device Security
Assessment
Security features
Standards conformance
Port scan
Vulnerability scan
Confidentiality, Integrity
Password confidentiality
Password storage
Man-in-the-middle
•Many vulnerabilities identified and communicated to vendor and project partner.•All addressed
• Firmware fixes• New security features• System architecture changes
Identify vulnerabilities, implement attacks, investigate impact on physical systems.
Develop security solutions; system protection, intrusion detection, attack resilience
Train engineers and scientists for control systems security careers.
CyberSecurity
IndustrialControl
Systems
Critical Infrastructure Protection Center
Read SpraberyBS CPE
Power System Cybersecurity
Drew RicheyMS ECE
Ladder logic to Snort Rules
Uttam AdhikariPHD ECE
Power System Cybersecurity
Wei GaoPHD ECE
SCADA Intrusion Detection
Shengyi PanPHD ECE
Power System Cybersecurity
Tommy MorrisAsst. Prof.
Director, CIPCIndustrial Control System Security
David MuddMS ECE
SCADA Virtual Test Bed
Quintin GriceMS ECE
Relay Settings Automation
Joseph JohnsonBS EE
Control Systems
Lalita NetiMS ECE
Relay Settings Automation