Cyber Security of SCADA Systems Team: Anthony Gedwillo (EE) James Parrott (CPrE) David Ryan (CPrE) Client: Dr. Govindarasu, Iowa State University

Problem Statement “Since the mid-1990’s, security experts have become increasingly concerned about the threat of malicious cyber attacks on the vital supervisory control and data acquisition (SCADA) systems used to monitor and manage our energy systems. Most SCADA system designs did not anticipate the security threats posed by today’s reliance on common software and operating systems, public telecommunication networks, and the Internet.”

Functional Requirements Virtualization Create a virtualized platform that allows network stack inspection. Create virtualized images for RTUs, Control Center, firewalls and Relays Virtualized system should be scalable to provide more realistic scenarios Cyber Security Produce report detailing security vulnerabilities of the system Implement attacks discovered during the vulnerability assessment Power System Integration Integrate DIgSILENT PowerFactory with SCADA test bed Power Simulation should represent real world scenario

Project Plan Power Flow Simulation Virtualization Cyber Attacks James Tony Create 9-Bus test case on DIgSilent (NOV 2010) Configure DIgSilent with OPC connectivity (FEB 2011) “Hardware in the Loop” (MAR 2011) Develop Display for testbed (OPTIONAL) Virtualization James Setup virtual host and install virtual machines Setup a virtual RTU and connect to HMI Setup a virtual relay that can connect to RTU (FEB 2011) Create multiple substations in testbed (MAR 2011) Hardware in the Loop Cyber Attacks David Port scan all devices Document services running on each port Search for well-known network/server side vulnerabilities Search for well-known client software vulnerabilities Search for lab-specific vulnerabilities (CONTINUAL) Create attacks for significant vulnerabilities (CONTINUAL) Analyze impact of attacks on system (CONTINUAL)

Software and Hardware Used Our SCADA network test bed consists of a few key pieces of hardware and software: Hardware Siemens SCALANCE S612 Security Module Siemens SIPROTEC 4 7SJ61 Relay (Sensor) Software Siemens Spectrum Power TG SCADA/EMS (HMI) Siemens SICAM PAS v6.00 (RTU) Siemens DIGSI (Software for SIPROTEC Protection Relays) Digsilent Power Factory v.14 Matrikon OPC Server/Explorer VmWare ESXi 4.1 Nessus Other Vulnerability Assessment Software

Virtualization Design Virtual RTUs and virtual relays will be installed on the virtual machines. These virtual machines will reside on the VmWare Server These virtual machines will be connected to the SCADA Control Center via DNP 3.0 and DigSilent via OPC The virtual RTUs will communicate with the control center over ethernet behind a physical SCALANCE or virtual firewall

Power Flow Simulation Design OPC := OLE for Process Control OLE := Object Linking and Embedding Power Flow Simulation Design “The Substation” “Limbo” “Control Center” Siemens Spectrum Power TG (HMI) Virtal and Real SICAM PAS (OPC Client) Virtualized and Real Relays Matrikon OPC Server DIgSilent PowerFactory (OPC Client)

Security Assessment Progress Underlying OS is extremely out of date Scalances are webservers accessible over SSL User authentication is brute-forcible Upload firewall backdoor? Internal protected network is one big LAN Subject to common LAN attacks Eavesdropping MITM via ARP spoofing

Plan for the Semester Virtualization Finish the RTU and virtual relay integration. Create easy deployments for substations Design virtual diagram of system for control center Power Flow Simulation Achieve “Hardware in-the-loop” connectivity Create practical system failure scenarios Develop nice display for power system Cyber Attacks Refine MITM traffic interception attack Create firewall backdoor attack