Professional Documents
Culture Documents
Security Solution To Protect SCADA Systems From Cyber Attacks
Security Solution To Protect SCADA Systems From Cyber Attacks
net/publication/281964312
CITATIONS READS
0 455
5 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Peeyush Jain on 21 September 2015.
Peeyush Jain1, Paritosh Tripathi1, Vinod Kumar1 Ashwin Nivangune1 Zia Saquib1
1
Centre for Development of Advanced Computing,
Gulmohar Cross Road No. 9,
Juhu Mumbai, India
{peeyushj, paritosh, vinod, ashwin, saquib}@cdac.in
1 Introduction
© Elsevier, 2012
418
common protocols [10] used are: IEC (International Electrotechnical Commission)
60870-5-101[4], 60870-5-104 and DNP3 [7]. DNP3 is based on the early work of the
International Electronical Commission (IEC) that resulted in the IEC 60870-5
protocol for SCADA. DNP3 and IEC 60870-5 are both part of the IEEE Standard
1815 and 1379-2000 [11]. Recently the International Electrotechnical Commission
(IEC) has come up with a new protocol, IEC 61850, which can provide more
enhanced functionalities [12].
The use of DNP3 is not limited to serial wire connections within a substation or
from a substation to a SCADA master using a modem and phone lines. DNP3’s
functionality contributes to the protocol’s widespread use in substation local area
networks using TCP/IP Ethernet, on corporate frame relay networks, fiber optic
systems, standard or CDPD cellular systems as well as many licensed or unlicensed
radio systems. Link layer frames are embedded into TCP/IP packets for transmission.
This approach enabled DNP3 to take advantage of Internet technology and permitted
collecting data economically and controlling widely separated devices. But this also
exposes vulnerabilities such systems [30]. The benefits of using the Internet
technology to carry SCADA communications come at the cost of compromised
security since the data over the Internet can be an easy target for an attack [8][26]-
[29]. To make the situation more challenging, DNP3 [7], as most other SCADA
protocols, has no built-in security feature such as message authentication, which
assures that a party to some computerized transaction is not an impostor. Various
threats that DNP3 faces include eavesdropping, man-in-the-middle attack (in which a
malicious hacker not only listens to the messages between two unsuspecting parties
but can also modify, delete, and replay the messages), spoof and replay (an attack that
attempts to trick the system by retransmitting a legitimate message), unauthorized
access either by human (intentionally or accidentally) or by specialized software.
The other possibilities of attacks are due to the fact that function codes and
message flags in different SCADA protocols can be manipulated [12]. This causes
violation of integrity, confidentiality and improper commands for RTUs, etc.
Anybody can control a SCADA device with injection of malicious packets into the
network. Denial of Service (DoS) attacks, deleting system files, planting a trojan to
control the system, modifying any logged data in remote database system and IP
Spoofing are other possible threats to SCADA systems [5]. These threats may lead to
shutting down operations, data loss, gaining complete control and defaming etc. The
security models developed for IT systems may not suit the security requirements of
SCADA systems. SCADA systems have many characteristics that differ from IT
systems, including different risks and priorities. Some of these include performance,
availability, time-critical responses, resource constraints, communication, system
operation, access to components. For SCADA systems, availability is top most
priority followed by confidentiality and integrity. For IT systems, confidentiality is
top most priority followed by integrity and availability. The key technical challenges
revolve around the limitations of what can be installed and configured on the SCADA
systems and the technical limitations of other components within the SCADA
environment [1]. These constraints should be a basic consideration for applying a
security mechanism.
1. Limited computational capacity: The RTUs have very low computational power.
2. Limited Space Capacity: Memory of RTUs is usually quite low.
419
3. Low bandwidth: The data transmission rate for SCADA systems is low.
4. Real-time processing: Transmission and processing of data in SCADA systems
should be timely. Otherwise it may cause latency problems.
2 Related Work
Chee-Wooi et al. [15] and Ignor et al. [9] provides an overview of security solutions
for SCADA, further [15] provides some vulnerability assessment method and security
framework for SCADA. We here present related work delving into cryptographic
primitives and intrusion detection. Sandia National Laboratories proposed a
cryptographic key management approach for SCADA (SKE) [3] in 2002. This
scheme uses CA for handling key management and distribution in an automatic
fashion. All keys used are of 128 bit in length. RTU-RTU communication is not
possible in this mechanism. It does not support broadcast and multicast
communication. Information Security Institute [2] proposed architecture for SCADA
systems (SKMA), where a new entity 'Key Distribution Center (KDC)' came into
picture, which is used to maintain long term keys for every node. KDC also contains
information regarding the system structure, and allows or denies the key
establishment requests; while doing this role; it supports the distribution of keys.
Donghyun Choi[6] also proposed his approach which supports multicast and
broadcast with an additional computation at run time at MTU side. The approach
provides multicasting in a limited fashion. For distribution of key, the approach uses a
Key Distribution Centre (KDC), which constructs logical key structure and uses Iolus
framework. Simple Public Key Infrastructure (SPKI) was developed starting in 1995.
Simple Distributed Security Infrastructure (SDSI) is a new design for a public key
infrastructure, designed by members of LCS's Cryptography and Information Security
research group [5].
The Wireless Sensor Networks (WSN) have intelligent distributed control
capabilities, and the capability to work under severe conditions, so some of the
schemes of this area may be useful for securing SCADA systems, as µPKI. It uses
public key encryption only for some specific tasks as session key setup between the
base station and sensors giving the network an acceptable threshold of confidentiality
and authentication. µPKI only implements a subset of a PKI services .A number of
key establishment protocols based on pre-distribution are explored[2][3][6][13], but
they do not scale effectively to large networks. For a given level of security each
protocol incurs a linearly increasing overhead in either communication cost per node
or memory per node or both. These symmetric key based schemes are
computationally efficient; the trade-off has to be paid for complicated key pre-
distribution and key management. In particular, the public key cryptography,
symmetric key encryption and the addition of SKE-based key management will likely
make strong security a more realistic expectation in the future. We also expect that the
hardware of SCADA will be improved so that it can be suitable for the application of
cryptography.
Intrusion detection is defined as the process of monitoring the events occurring in a
420
computer system or network and analyzing them for signs of possible incidents,
which are violations or imminent threats of violation of computer security policies,
acceptable use policies or standard security practices [35]. Two major approaches of
intrusion detection are signature based and anomaly based. The signature detection
matches traffic to a known misuse pattern while the anomaly detection works on the
abnormalities in the observed data. There are other methods which fall between the
two approaches like probabilistic based and specification based [33]. One embeds
probabilistic modelling while the other allowable system traffic patterns. Misuse
based detection methods have reached a saturation point, most of the current research
has been in writing signatures or enhancements of signature matching using state
machines (regex). Generating good signatures requires extensive study and in-depth
vulnerability assessment of the system which is a tedious task in itself. We have come
across [14] which provide signatures for SCADA specific IDS though. Lot of research
has been going on in anomaly based detections [15]-[17]. Zhu and Sastry [33] give a
very detailed outlook of IDS for SCADA.
Recently it has been observed that two types of approaches state based intrusion
detection and its enhancements [18]-[21] and model based security[22][23] is what
the research community is majorly focusing on. Both the approaches require the real
system to be represented and updated as per changes that take place in the real
network. In state based approach, the representation is in form of tag, value pairs for
each PLC/RTU which these units are sensing. The idea is to define critical state on
predicates of these tag value pairs. One of most important advantage that has been
suggested is to identify critical state even if licit commands are sent but their
combined effect is catastrophic. In the model based approach the real system is
represented as cyber-physical system. To depict such a system, researchers use
available simulator for the physical part and protocol adaptors for the cyber part. This
CPS can then be used to observe effect of commands on real network by first
executing them on the simulated environment and if found threatening, generating
alerts. Most of work that has been explored does not provide clarity on how bad data
injection [24] would be tackled. As obvious signature based approaches are too
dependent on regular update of signatures and anomaly based on training data for
intrusion detection. In case of model based approach defining accurate models and
false alarms may become challenging.
3 Security Solution
421
Fig. 1. Overall Security Architecture
As shown in Figure 2, the key will be distributed at the time of installation of “bump-
in-the-wire” between the MTU and RTU at both sides, then it will be automatically
revoked periodically using our key distribution protocol (Sec-KeyD). To explain the
data flow through our security solution we consider data flow from MTU to RTU.
When MTU has to send some commands it will pass through “bump-in-the-wire” at
MTU side. “Bump-in-the-wire” contains a protocol hardening solution i.e. Flexi-
DNPSec [32], which converts DNP3 packets into new format, called as Flexi-
DNPSec packets. This conversion helps to integrate our key management solution
with it because DNP3 doesn’t provide such facility. Now Flexi-DNPSec protocol
have the key management features i.e. key generation, key distribution, storage,
automatic key revocation and encryption/decryption using our key distribution and
key management scheme.
When data passes through “bump-in-the-wire” device, encryption of the coming
data will take place using the same key that has been exchanged initially. Then
encrypted data will traverse the network and will be captured at the RTU side and
decrypted using the same key. Decrypted data will re-converted into DNP3 packets. A
copy of it will be passed to the Model based IDS. Model based IDS is used to detect
divergence of real power system from that of the correct and uncompromised model.
For Encryption-Decryption we are using Blowfish. The detail working of components
of our security solution will be discussed in subsequent sections.
422
Fig. 2. Implementation of Security Solution
423
Fig. 3. Model Based Security Architecture
424
storage only but distribution of keys is another major issue. The main challenges in
key distribution are authentication of receiver and maintaining the secure path for key
transmission. Schemes like SKE approach are available for key distribution, there is a
need of involving third party like CA but security might be compromise from third
party.Manual storing of keys at each node is also a big issue. For automatic storing of
keys at each node we can use Diffie-Hellman key exchange method, but for this, one
time extra computation cost at both side and extra storage is needed. In Diffie-
Hellman key exchange, there is always a chance of man in middle attack. By using
challenge response, protocol authenticity of recipient might be confirmed for
distribution of key but key can be obtained by attacker by replay attack.
Considering limited memory capacity and processing power, it is necessary to store
minimum number of keys and efficient algorithm without compromising with
required constraint. The efficiency of memory also ought to be considered because
thousands of keys and data needs to be manage and maintain in a limited memory
space. Many efforts have been done in recent years to secure the SCADA
communication including the key management issues. We propose an efficient key
distribution scheme (Sec-KeyD) [37], which overcome shortcomings present in the
current approaches and fulfills the SCADA constraints, availability, time-critical
responses, and access to components efficiently with following advances:
1. Ensures the Authenticity of both end nodes (Server as well as Client)
2. Enhances the confidentiality
3. Eliminates the issue of trustiness of third party, as no third party is involved.
4. Eliminates replay attack
5. Eliminates the man-in-middle attack
6. No False Server Attack
7. Automatic Revocation of symmetric key
8. Ensures the freshness of message
9. No transfer of session key on open channel nor installed manually
425
4 Conclusion
References
426
18. Igor Nai Fovino, Alessio Coletta, Andrea Carcano, and Marcelo Masera and A.
Trombetta“Modbus/DNP3 State-based Intrusion Detection System” 24th IEEE
International Conference on Advanced Information Networking and Applications 2010
19. A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. Nai Fovino, and A. Trombetta “A
Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems”
IEEE Transactions on industrial informatics, VOL. 7, NO. 2, MAY 2011
20. Igor Nai Fovino, Alessio Coletta, Andrea Carcano, and Marcelo Masera “Critical State-
Based Filtering System for Securing SCADA Network Protocols” IEEE Transactions on
industrial electronics Vol. 59, No. 10, October 2012
21. S. Cheung, B.Dutertre, M. Fong, U Lindqvist, K.Skinner, A Valdes “Using Model based
Intrusion Detection for SCADA Networks” SCADA Security Scientific Symposium, 2007
22. Chen-Ching Liu, Alexandru Stefanov, Junho Hong, and Patrick Panciatici “Intruders in the
Grid” IEEE Power and Energy magazine, 2012
23. The Viking Project, www.vikingproject.eu
24. Yao Liu and Peng Ning and Michael K. Reiter “False Data Injection Attacks against State
Estimation in Electric Power Grids”, ACM Transactions on Information and System
Security (TISSEC), Volume 14 Issue 1, May 2011
25. The Power System Analysis Toolbox, Federico Milano
http://www.uclm.edu/area/gsee/Web/Federico/psat.htm
26. J. Ballman, "The Great Blackout of 2003 Aug. 14 Power Outage Largest in U.S. History,"
Disaster Recovery Journal, vol. 16, 2003.
27. J. Meserve, "Sources: Staged cyber attack reveals vulnerability in power grid", Washington,
D.C.: CNN, 2007.
28. A. Greenberg, "Hackers Cut Cities' Power," Forbes.com, 2008
29.The Aurora Power Grid Vulnerability, Frank Saxton,
http://unix.nocdesigns.com/aurora_white_paper.htm
30. Jason Stamp, John Dillinger, William Young, Jennifer Depoy, “Common Vulnerabilities in
Critical Infrastructure Control Systems”, Sandia National Laboratories, May 2003.
31.Carlos Queiroz, Abdun Mahmood, and Zahir Tari “SCADASim—A Framework for
Building SCADA Simulations”, IEEE Transactions on Smart Grid, Volume 2, No 4, 2011
32. S. Bagaria, S.B. Prabhakar and Zia Saquib, "Flexi-DNP3:Flexible Distributed Network
Protocol Version 3 (DNP3) for SCADA Security", ReTIS, Kolkatta, December 21-23, 2011
33 Bonnie Zhu & Sankar Sastry “SCADA-specific Intrusion Detection/Prevention Systems: A
Survey and Taxonomy”, Secure Control Systems (SCS), 2010
34.Universityof Washington,Electrical Engineering, www.ee.washington.edu/research/pstca
35.Queen Mary University of London,
elec.qmul.ac.uk/resources/electricitydata/pages/electricitydata.html
36. A. Patel, Q. Qassim, and C. Wills, “A survey of intrusion detection and prevention
systems,” Information Management & Computer Security, vol.18, no. 4, pp. 277, 2010.
37. Intellectual Property India, Application No. 2429/MUM/2010
http://164.100.176.38/patentsearch/search/index.aspx
427