Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Grid-wide, High-fidelity Electrical Substation Honeynet

Published byOwen Walton Modified over 6 years ago

Similar presentations

Presentation on theme: "A Grid-wide, High-fidelity Electrical Substation Honeynet"— Presentation transcript:

1 A Grid-wide, High-fidelity Electrical Substation Honeynet
Daisuke Mashima, Prageeth Gunathilaka, Binbin Chen, and Edwin Tjiong Advanced Digital Sciences Center Singapore Acknowledgment: This research is partly supported by the National Research Foundation, Prime Minister's Office, Singapore under the Energy Programme and administrated by the Energy Market Authority (EP Award No. NRF2014EWT-EIRP ) and in part by the research grant for the Human-Centered Cyber-physical Systems Programme at the Advanced Digital Sciences Center from Singapore’s Agency for Science, Technology and Research (A*STAR).

2 Background For collecting and analyzing real-world attack vectors, honeypot is an effective tool used in general IT systems ICS/Smart Grid Honeypot system is still in an early stage A few ICS honeypot implementations, such as CONPOT etc. are available, but none of them support the emulation of physical system in high-fidelity manner. Maybe OK for just collecting scanning activity, but not sufficient to retain attackers inside for slowing down attacks and/or performing longitudinal analysis

3 Outline Attacker models in Smart Grid communication
Design of scalable, high-fidelity, standard-compliant smart grid honeynet Proof-of-concept implementation using open-source tools Preliminary evaluation of realism and scalability

4 Attacker Models in Scope
A: Attack from control center Compromised SCADA Master system Man-in-the-middle attack by other workstations B: Attack from network Attack on public network infrastructure (i.e., Internet) Attacks on wireless network (e.g., cellular) C: Attacks via VPN interface Intrusion into substation network Injection of malicious commands

5 Desired Properties Comprehensive, consistent power grid view
Attacker may have complete visibility on smart grid communication. He may also have knowledge of power system laws and attempt probing. Realistic network configuration IP address, MAC address, communication protocols, LAN topology etc. should look realistic Scalability for grid-wide emulation Emulation of network with hundreds or thousands of substations should be possible with decent cost Fingerprinting resistance Fingerprinting tools (e.g., nmap) should not be able to find hint of honeypot Use of virtualization technologies should not be identifiable (e.g., sufficient resource isolation among virtual instances)

6 System Overview Interconnected Substation Honeypots
Each substation honeypot consists of Substation gateway VM Assumed to be fully accessible to attackers Connected to other substation honeypots Open IEC (using OpenMUC library) Mininet VM (Substation LAN) Run multiple virtual IEDs, which speak IEC MMS protocol Assume attackers cannot have shell access on virtual IEDs. Can emulate any topology and bandwidth Monitoring functionality can be implemented on the host OS (i.e., beneath VMs) Not visible to attackers Cyber-connected power grid simulation Provided by SoftGrid* and PowerWorld Emulate steady and transient state Can support large-scale grid model, such as 2000 bus systems (with 7,000 IEDs) Monitoring (e.g., Wireshark) *Gunathilaka, Prageeth, Daisuke Mashima, and Binbin Chen. "SoftGrid: A Software-based Smart Grid Testbed for Evaluating Substation Cybersecurity Solutions." Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy. ACM, 2016.

7 Evaluation (1) Comprehensive, consistent power grid view
All honeypot substations are connected to single power flow simulator, and therefore share the consistent view. When control is performed, the outcome from power flow simulator is made visible within a short latency. Voltage and power flow are quick to reach new state so approximated with steady-state simulation Frequency swing takes time so transient-state simulation is used (completed within 1 seconds when 30-sec transient-state simulation is used.)

8 Evaluation (2) Realistic network configuration
MAC address of honeypot gateway and virtual IEDs are configurable. Support widely-used standard protocols, namely IEC and IEC 61850 Bandwidth, packet loss ratio etc., are also configurable. Can safely support 200 virtual IEDs per substation Latency on a ring topology looks realistic. Substation GW

9 Evaluation (3) Fingerprinting resistance
Scanning and OS fingerprinting by Nmap Substation VM is identified as Linux (2.6.32) device that opens port 2404 and 22 Same as a commercial protocol translator (ZNX 202) Virtual IEDs are identifies as a device with unknown OS that opens port 102 Shodan ( After 2weeks operation, indexed as a industrial control system but not flagged as a honeypot

10 Evaluation (4) Isolation among Virtual Instances
When a dedicated CPU core is allocated to each Mininet VM (substation LAN), sufficient isolation in terms of performance of emulated network is provided. Also found that up to 4 substation LANs can be safely run on a single Mininet VM

11 Evaluation (5) Scalability / Operational Cost
Theoretically, we can host up to 16 honeypot substations (GW and LAN) on a quad-core PC The number is close to high-volt. substations in Singapore. On National Cybersecurity Lab testbed ( we tested operation of 18 substations per node Given CPU usage on the node is less than 30%, we can host more than 36 substations safely. Operational cost to run a 200 and 1,500 substation system are US$390/month and US$2,700/month respectively. Deployable also on Amazon EC2 (with minor modification).

12 Conclusions We designed and implemented, scalable smart grid honeynet with high-fidelity power system simulation Looking for industry and academic partners for extensively evaluating and enhancing the system. Future enhancement includes: Collection and analysis of real-world attacks Incorporation of mechanical/actuation latency models Realism evaluation through comparison of hardware-based power grid testbed Generation of dummy, but realistic, SCADA/substation LAN traffic Release honeypot codes as add-on for open-source SoftGrid project (URL:

13 Thank you very much! Questions?
For any interest, suggestion, or request, please feel free to contact us at:

14

15 Smart Grid Honeypot/net Use Cases (1)
To counter Attack A: In the control center, we can set up dummy SCADA Master and/or workstation that are intentionally made vulnerable E.g., they may look like a back-up system Outgoing traffic from those machines are routed to Smart Grid honeynet Can be done by means of router configuration or software-defined network technologies Control Center SCADA Master Dummy SCADA Master Dummy Workstation Real system Smart Grid Honeynet

16 Smart Grid Honeypot/net Use Cases (2)
To counter Attack B: Some of honeypot substations can be connected to the Internet (or other type of public WAN) Some of honeypot substations can be equipped with cellular communication module To counter Attack C: Expose VPN interface of substation gateway, configure with weak credential, to public Smart Grid Honeynet WAN / Internet Substation Honeypot Substation Honeypot Substation Honeypot Substation Honeypot Substation Honeypot Substation Honeypot Substation Honeypot

Download ppt "A Grid-wide, High-fidelity Electrical Substation Honeynet"

Similar presentations

Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute 2008. 10. 22.

Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
A Virtual Environment for Investigating Counter Measures for MITM Attacks on Home Area Networks Lionel Morgan 1, Sindhuri Juturu 2, Justin Talavera 3,

A Virtual Environment for Investigating Counter Measures for MITM Attacks on Home Area Networks Lionel Morgan 1, Sindhuri Juturu 2, Justin Talavera 3,
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Introduction An introduction to the software and organization of the Internet Lab.

Introduction An introduction to the software and organization of the Internet Lab.
Personnel 500-600 hours$10,000-$12,000 Hardware Virtualization Server(?)$3000-$10,000 SIPROTEC 4 7SJ61 Relay s$0 SCALANCE S612 Security.

Personnel hours$10,000-$12,000 Hardware Virtualization Server(?)$3000-$10,000 SIPROTEC 4 7SJ61 Relay s$0 SCALANCE S612 Security.
1 MASTERING (VIRTUAL) NETWORKS A Case Study of Virtualizing Internet Lab Avin Chen Borokhovich Michael Goldfeld Arik.

1 MASTERING (VIRTUAL) NETWORKS A Case Study of Virtualizing Internet Lab Avin Chen Borokhovich Michael Goldfeld Arik.
Router and Switch Security By: Kulin Shah Krunal Shah.

Router and Switch Security By: Kulin Shah Krunal Shah.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Cyber Security of SCADA Systems Testbed Testbed Development Group Members: Justin Fitzpatrick Rafi Adnan Michael Higdon Ben Kregel Adviser: Dr. Manimaran.

Cyber Security of SCADA Systems Testbed Testbed Development Group Members: Justin Fitzpatrick Rafi Adnan Michael Higdon Ben Kregel Adviser: Dr. Manimaran.
VPN for Sales Nokia FireWall-1 Products Complete Integrated Solution including: –CheckPoint FireWall-1 enterprise security suite –Interfaces installed.

VPN for Sales Nokia FireWall-1 Products Complete Integrated Solution including: –CheckPoint FireWall-1 enterprise security suite –Interfaces installed.
Lab #2 CT1406 By Asma AlOsaimi. Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,

Lab #2 CT1406 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,
Redes Inalámbricas Máster Ingeniería de Computadores 2008/2009 Tema 7.- CASTADIVA PROJECT Performance Evaluation of a MANET architecture.

Redes Inalámbricas Máster Ingeniería de Computadores 2008/2009 Tema 7.- CASTADIVA PROJECT Performance Evaluation of a MANET architecture.
Common Devices Used In Computer Networks

Common Devices Used In Computer Networks
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Eric Keller, Evan Green Princeton University PRESTO 2008 8/22/08 Virtualizing the Data Plane Through Source Code Merging.

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Presented by: Sanketh Beerabbi University of Central Florida COP6087 - Cloud Computing.

Presented by: Sanketh Beerabbi University of Central Florida COP Cloud Computing.

Similar presentations

Ads by Google