1. tcipg.org 1 An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems Objectives/Problem Investigate a simple but effective attack to block legitimated DNP3 traffic by overflowing the event buffer inside a data aggregator Implement the attack using real SCADA system in TCIPG lab Construct a DTMC model for understanding conditions under which the attack’s behavior Analysis and evaluated the attack using packet-based large-scale network simulation Challenges How to effectively block the awareness in a typical DNP3 network by utilizing a low-end slave device? When is the buffer overflow attack an actual attack? Can it be applied to many real devices? What are the countermeasures? How do we approach experimental design in the “security for power grid context”? What are the metrics? How best do we explore the design space? Relay Data Aggregator … … … Control Station Typical SCADA architectures using DNP3 with a two level hierarchy

2. tcipg.org 2 An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems Approach Set up a typical two-level hierarchy testbed with real SCADA devices communicating via DNP3 in TCIPG lab Conduct experiments on the data aggregators by sending user-controlled overly many unsolicited responses in order to overflow the event buffer in the data aggregator; therefore block the pending alerts from normal field devices. Construct an analytical model using DTMC and queueing theory Develop a Möbius model and evaluate reward functions such as rate at which legitimate alerts are lost, and the delay of alerts that survive the attack Develop a simulation model in packet-based network simulator, and evaluate its accuracy and performance in large scale Results Observed the buffer overflow attack in SEL3351 data aggregator. The data aggregator periodically polls two slave devices. The compromised slave sends overly many false alerts via unsolicited response and successfully blocks the other device’s alert event. To conduct the same test cases on SEL1102 and SEL3354 once they are in the TCIPG labs. Developed a full-stack DNP3 protocol running on top of both TCP and UDP in a discrete-event simulator, PacketSim. The DNP3 protocol is composed of a master service and an outstation service, which is used to construct SCADA devices such as control station, data aggregator and relay. The DNP3 protocol in PacketSim currently supports polling, unsolicited response and control command, such as trip/close a relay. μ Control Station Polling Rate λ 1 Flooding Rate λ 2 Data Aggregator Polling Rate μ λ1λ1 λ2λ2 Attacker Normal Relay

3. tcipg.org 3 An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems Plans for Next Year Assess other security vulnerabilities in DNP3 protocol and DNP3 devices Evaluate the DNP3 Security Authentication (DNP3 SA) protocol in terms of security and performance Further efforts developing SCADA protocols, such as 61850, and devices models in large- scale network simulator Milestones Developed the full-stack DNP3 protocol in PacketSim, a discrete event network simulator Planned Industry Interactions No industry interactions are currently planned Planned Tesbted Activities Utilize the real device testbed and simulation platform in TCIPG lab to study cyber security issues in SCADA systems, including but not limited to (1) Mu Dynamics 8000 (Fuzz Testing) (2) Triangle Microworks test harness (3) PacketSim