SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEM SECURITY ISSUES AND COUNTER MEASURES

Raksha Sunku Ravindranath B.E., Visveswaraiah Technological University, Karnataka, India, 2006

PROJECT

Submitted in partial satisfaction of the requirements for the degree of

MASTER OF SCIENCE

in

COMPUTER ENGINEERING[use all caps]

at

CALIFORNIA STATE UNIVERSITY, SACRAMENTO

FALL[all caps] 2009

[Project Approval Page]

SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEM SECURITY ISSUES AND COUNTER MEASURES

A Project

by

Raksha Sunku Ravindranath

Approved by: __________________________________, Committee Chair Dr Isaac Ghansah __________________________________, Second Reader Dr. Jing Pang ____________________________ Date

ii

Student: Raksha Sunku Ravindranath

I certify that this student has met the requirements for format contained in the University format manual, and that this project is suitable for shelving in the Library and credit is to be awarded for the Project.

__________________________, Graduate Coordinator Dr. Suresh Vadhva

________________ Date

Department of Computer Engineering

iii

abstracts for some creative works such as in art or creative writing may vary somewhat, check with your Dept. Advisor.] Abstract of SMARTGRID SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) SYSTEM SECURITY ISSUES AND COUNTER MEASURES by Raksha Sunku Ravindranath

This project discusses security issues, countermeasures and research issues in the Supervisory Control And Data Acquisition (SCADA) system. SCADA system is used in power sector for controlling and monitoring industrial processes. The major components in the SCADA system are master terminal unit, remote terminal unit and the communication link connecting them. Protocols used in this communication link are DNP3 (Distributed Network Protocol version 3.0) and Modbus. Vulnerabilities in these components lie in policy, procedure, platform and protocols used. Countermeasures for these vulnerabilities are deployment of firewalls, intrusion detection system, wrapping protocols in secure layers, enhancing protocol structure etc. Some of these countermeasures do not provide complete security and hence requires more research. A number of issues that require more research are also recommended.

_______________________, Committee Chair Dr Isaac Ghansah

_______________________ Date iv

DEDICATION

Om Sai Ram

This project is dedicated to my lovely parents S.K Ravindranath, Asha Ravindranath, my dearly brother Raghav Kishan S.R., and my inspirational grandparents Adinarayana Gupta and Latha Gupta.

ACKNOWLEDGMENTS It is a pleasure to thank everybody who helped me in successfully completing my Masters Project. First, my sincere thanks to my project supervisors, Dr. Isaac Ghansah, Professor, Computer Science and Engineering, and Dr. Jing Pang, Associate Professor, Department of Electrical and Electronic Engineering and Computer engineering, for giving me an opportunity to work under their guidance, and for providing me constant support throughout the project. I am also very grateful to Dr. Suresh Vadhva, Graduate Coordinator, Department of Computer Engineering, for his invaluable feedbacks and suggestions. My special thanks to my friend Vinod Thirumurthy who helped me in reviewing this report. I would like to take this opportunity to acknowledge and appreciate the efforts of California State University, Sacramento for its facilities and providing a good environment for the students to prosper in their academic life. Last but not least, I would like to thank my parents, S.K Ravindranath and Asha Ravindranath, and my brother Raghav Kishan S.R. for their moral and financial support. I am very grateful for their continuous support and never ending encouragement that they have provided throughout my life.

vi

[This Table of Contents covers many possible headings. Use only the headings that apply to your thesis/project.] TABLE OF CONTENTS Page Dedicationv Acknowledgments........................................................................................................................... vi List of Tables ................................................................................................................................. xii List of Figures ............................................................................................................................... xiii List of Abbreviations ..................................................................................................................... xv Chapter 1 INTRODUCTION ..................................................................................................................... 1 1.1 1.2 1.3 1.4 2 Introduction To SCADA .................................................................................................... 2 SCADA System Components And Functions .................................................................... 4 Literature Review................................................................................................................ 7 Conclusion .......................................................................................................................... 9

SCADA SYSTEM REQUIREMENTS AND THREATS ....................................................... 10 2.1 Requirements In A SCADA System ................................................................................. 10

2.2 Threats To SCADA Network............................................................................................ 13 3 MASTER TERMINAL UNIT AND REMOTE TERMINAL UNIT VULNERABILITIES AND COUNTERMEASURES ................................................................................................ 16 3.1 Introduction ....................................................................................................................... 16

3.2 Vulnerabilities In The SCADA System ............................................................................ 17 3.2.1 Public Information Availability ............................................................................... 21 3.2.2 Policy And Procedure Vulnerabilities...................................................................... 22 3.2.3 Platform Vulnerabilities ........................................................................................... 24 vii

3.2.3.1 Platform Configuration Vulnerabilities......................................................... 24 3.2.3.1.1 Operating System Related Vulnerabilities ..................................... 25 3.2.3.1.2 Password Related Vulnerabilities ................................................. 25 3.2.3.1.3 Access Control Related Vulnerabilities ......................................... 26 3.2.3.2 Platform Software Vulnerabilities ................................................................ 26 3.2.3.2.1 Denial Of Service ............................................................................ 26 3.2.3.2.2 Malware Protection Definitions Not Current And Implemented Without Exhausting Testing ........................................................... 27 3.3 Countermeasures For MTU And RTU Security Issues.................................................... 27 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 Counter measures For Policy And Procedure Vulnerabilities ................................ 28 Regular Vulnerability Assessments ........................................................................ 28 Expert Information Security Architecture Design .................................................. 29 Implement The Security Features Provided By Device And System Vendors ....... 29 Establish Strong Controls Over Any Medium That Is Used As A Backdoor Into The SCADA Network ............................................................................................. 30 Implement Internal And External Intrusion Detection Systems And Establish 24-hour-a-day Incident Monitoring ........................................................................ 30 Conduct Physical Security Surveys And Assess All Remote Sites Connected To The SCADA Network ....................................................................................... 31 Firewalls And Intrusion Detection System ............................................................. 31 Electronic Perimeter................................................................................................ 32 Domain-Specific IDS ............................................................................................ 33 Creating Demilitarized Zones (DMZs) ................................................................ 34 Low Latency And High Integrity Security Solution Using Bump In The Wire Technology For Legacy SCADA Systems .......................................................... 35

3.3.6

3.3.7

3.3.8 3.3.9 3.3.10 3.3.11 3.3.12

viii

4 DISTRIBUTED NETWORK PROTOCOL 3 VULNERABILTIES AND COUNTERMEASURES .......................................................................................................... 39 4.1 4.2 4.3 4.4 Introduction To SCADA Communication Network ........................................................ 39 Some General Vulnerabilities In SCADA Network ........................................................ 41 SCADA Communication Protocols ................................................................................. 42 DNP3 Protocol ................................................................................................................. 42 4.4.1 4.4.2 4.4.3 4.4.4 4.4.5 4.4.6 4.5 4.6 Introduction To DNP3 Protocol ............................................................................. 42 DNP3 Communication Modes ................................................................................ 44 DNP3 Network Configurations ............................................................................... 44 DNP3 Data Link Layer ........................................................................................... 46 DNP3 Protocol Layer Pseudo Transport Layer ................................................... 48 DNP3 Protocol Layer Application Layer............................................................. 48

DNP3 Protocol Vulnerabilities And Attacks .................................................................. 50 Countermeasures For Enhancing DNP3 Security ........................................................... 55 4.6.1 Solutions That Wrap The DNP3 Protocols Without Making Changes To The Protocols .................................................................................................... 55 4.6.1.1 4.6.1.2 4.6.2 4.6.3 4.6.4 SSL/TLS Solution .................................................................................... 56 IPSec (secure IP) Solution ....................................................................... 57

Enhancements To DNP3 Applications................................................................... 57 Secure DNP3 .......................................................................................................... 60 Distributed Network Protocol Version 3 Security (DNPSec) Framework............. 62

4.7 5

Comparison Of DNP3 Countermeasures ......................................................................... 65

MODBUS PROTOCOL VULNERABILITIES AND COUNTERMEASURES ................... 67 5.1 Introduction To Modbus Protocol .................................................................................... 67 ix

5.2

Protocol Specifics ............................................................................................................ 69

5.3 Modbus Serial Protocol ................................................................................................... 71 5.4 Modbus TCP protocol ...................................................................................................... 72 5.5 Vulnerabilities And Attacks In Modbus Protocol ............................................................ 73 5.5.1 5.5.2 Serial Only Attacks .............................................................................................. 73 Serial And TCP Attacks ........................................................................................ 74

5.5.3 TCP Only Attacks ................................................................................................. 75 5.6 Countermeasures For Enhancing Modbus Security ......................................................... 76 5.6.1 6 Secure Modbus Protocol ........................................................................................ 76

RESEARCH ISSUES .............................................................................................................. 89 6.1 6.2 6.3 6.4 6.5 Performance Requirements Of SCADA Systems ............................................................ 89 Authentication And Authorization Of Users At The Field Substations ........................... 89 Enhancing The Security Of Serial Communication ......................................................... 90 Access Logs For The IEDs In Substations ..................................................................... 90 Attacks From Which Side Channel Information Can Be Obtained ................................. 90

6.6 Timing Information Dependency ..................................................................................... 91 6.7 6.8 6.9 6.10 6.11 7 Software Patches Update ................................................................................................. 91 Intrusion Detection Equipment For The Field Devices And The Control Systems ......... 92 Authentication Of The Users To Control System Equipment ......................................... 92 Legacy Systems With Limited Processing Power And Resources ................................ 92 Roles To Be Defined In The Control Center ................................................................. 93

CONCLUSION ........................................................................................................................ 94 7.1 Summary .......................................................................................................................... 94 x

7.2 7.3

Strengths and Weaknesses ............................................................................................... 96 Future Work ..................................................................................................................... 97

References ...................................................................................................................................... 98

xi

LIST OF TABLES Page

Table 3-1: List Of Potential And Present Vulnerabilities In MTU And RTUs.............................. 21 Table 4-1: Comparison Of Security Approaches ........................................................................... 59 Table 4-2: New Functions Codes Introduced To Support The Secure DNP3 Protocol ................. 62 Table 5-1: Functions Codes In A Modbus Protocol Frame ........................................................... 70 Table 5-2: Exceptions Functions Codes For Modbus Protocol ..................................................... 70 Table 5-3: Comparison Of Communication Latency ..................................................................... 83 Table 5-4: Comparison Of Packet Size .......................................................................................... 83 Table 5-5: Communication Latency With Modbus And Secure Modbus Master Scan Rate Of 500ms And A Connection Timeout Of 1200ms ........................ 87 Table 5-6: Modbus/TCP And Secure Modbus/TCP Packets Size, Tested With Different Functions ....................................................................................................... 87 Table 5-7: Communication Latency In The Different Communications Steps ............................. 88

xii

LIST OF FIGURES Page Figure 1-1 : Conceptual Smart Grid Architecture ........................................................................... 2 Figure 1-2: SCADA An Integral Component Of Smart Grid .......................................................... 3 Figure 1-3: SCADA System Components ....................................................................................... 4 Figure 3-1: Security Vulnerabilities Pattern .................................................................................. 18 Figure 3-2: Interconnected SCADA Network ............................................................................... 20 Figure 3-3: Basic Functions Of SCADA Security Policy .............................................................. 28 Figure 3-4: Firewall And Intrusion Detection System Implementation Between Enterprise And SCADA Control System ..................................................................................... 32 Figure 3-5: Electronic Perimeter Implementation In SCADA System .......................................... 33 Figure 3-6: Demilitarized Zones Architecture ............................................................................... 34 Figure 3-7: Model For Bump In The Wire Approach .................................................................... 35 Figure 3-8: (a) YASIR Transmitter (b) Communication Link (c) YASIR Receiver ..................... 37 Figure 4-1: Modern SCADA Communication Architecture .......................................................... 40 Figure 4-2: DNP3 Network Configurations ................................................................................... 45 Figure 4-3: Design Progression From OSI To DNP3 .................................................................... 46 Figure 4-4: DNP3 Protocol Data link Layer Frame Structure ....................................................... 47 Figure 4-5:DNP3 Pseudo-Transport Message Fields..................................................................... 48 Figure 4-6:DNP3 Application Message ......................................................................................... 50 Figure 4-7: Threat Categories For DNP3....................................................................................... 51 xiii

Figure 4-8: Protocol Stack(Gray-background protocols are secured alternatives) ........................ 56 Figure 4-9: Authentication Using Authentication Octets .............................................................. 58 Figure 4-10: Message Sequence In Challenge-Response Mode .................................................... 61 Figure 4-11: Message Flow In Aggressive Mode .......................................................................... 61 Figure 4-12: DNPSec Protocol Structure ....................................................................................... 63 Figure 4-13: DNPSec Request/Response Link Communications .................................................. 64 Figure 5-1: Modbus Protocol And ISO/OSI Model Comparison .................................................. 67 Figure 5-2: Modbus Communication Stack ................................................................................... 68 Figure 5-3: Modbus Protocol Frame Format ................................................................................. 69 Figure 5-4: Modbus Serial Architecture ........................................................................................ 71 Figure 5-5: Modbus TCP Architecture .......................................................................................... 72 Figure 5-6: Secure Modbus Application Data Unit ....................................................................... 78 Figure 5-7: Modbus Secure Gateway ............................................................................................ 79 Figure 5-8: Secure Modbus Module .............................................................................................. 81 Figure 5-9: SCADA Test bed Developed To Verify Secure Modbus Protocol ............................. 82 Figure 5-10: High Level Secure Survivable Architecture.............................................................. 85 Figure 5-11: Filtering Unit Prototype ............................................................................................ 86

xiv

LIST OF ABBREVIATIONS SCADA: Supervisory control and data acquisition MTU: RTU: DNP3: SSL: TLS: PLC: IED: LAN: PSTN: DHS: CSSP: NCSD: INEEL: NERC: CIP: NIST: PCSRF: PCSF: IDS: DNS: FERC: Master Terminal Unit Remote Terminal Unit Distributed network protocol Secure Socket Layer Transport Layer Security Programmable Logic Controller Intelligent Electronic Device Local Area Network Public Switched Telephone Network Department of Homeland Security Control Systems Security Program National Cyber Security Division Idaho National Engineering and Environmental Laboratory North American Electric Reliability Council Critical Infrastructure Protection National Institute of Standards and Technology Process Control Security Requirements Forum Process control system forum Intrusion Detection Systems Domain Name Service Federal Energy Regulatory Commission xv

DRP: DoS: IEC: EPA: CRC: ICV: HMAC: ASCII: PDU: MBAP: NTP: YASIR: BITW: DMZ:

Disaster Recovery Plan Denial of Service International Electro technical Commission Enhanced Performance Architecture Cyclic Redundancy Check Integrity Check Value Hash-based Message Authentication Code American Standard Code for Information Interchange Protocol Data Unit Modbus application protocol Network Time Protocol Yet Another SecurIty Retrofit Bump In The Wire Demilitarized Zones

xvi

Chapter 1 INTRODUCTION

Presently the electric industry consists of a more centralized, producer- controlled network. The transformation of this network to a more decentralized and consumer interactive network is the Smart grid [1]. The need for smart grid has surfaced because the demand for power has been increasing constantly. With the introduction of the smart grid, consumers will be empowered to manage their energy usage in a more efficient and economical way. Smart grid will also allow increase in the productivity and efficiency of how the power in delivered as well as improving power reliability [1]. In addition to this, smart grid technology allows us to overcome the challenges such as increasing power demand, aging utility infrastructure, and environmental impact of greenhouse gases produced during electric generation. With the deployment of smart grid, power can be used in a more effective manner and also the carbon content in the environment can be reduced drastically. Another advantage is reduction in the investment in primary equipment. Thus the main focus is to make the grid more automated in order to provide the above functionalities. Figure 1-1 is a conceptual architecture of the smart grid. Components named as generators, central power plant, isolated microgrid in the figure are all connected through a Supervisory control and data acquisition(SCADA) architecture [1].

Figure 1-1 : Conceptual Smart Grid Architecture [30] 1.1 Introduction To SCADA In addition to being used in electrical power system, SCADA is also used in other critical infrastructures such as oil and gas refining systems, water supply, transportation. Critical infrastructures that do not necessarily use the SCADA system we are discussing here include telecommunications, banking and finance, emergency services etc. Clearly, critical infrastructure is one of the most important factors supporting a nation's life. The figure 1-2 gives a high level view of Smart grid and shows where the SCADA system lies in it. The enterprise, control center, field area network and substation are all part of the SCADA architecture [1].

Figure 1-2: SCADA As An Integral Component Of Smart Grid [29] SCADA systems are widely deployed in Critical Infrastructure industries where they provide remote supervisory and control. SCADA consists of automated processes developed to assist in the management and control of the electrical power grid. SCADA consists of complex interconnected control, which adds challenges to deliver secure and reliable service. The basic function of a SCADA system is to monitor and control equipments that are responsible for delivering power. Extended functionality of SCADA is fault detection, equipment isolation and restoration, load and energy management, automated meter reading, and substation control. The SCADA systems used today by the utilities were developed and deployed many years ago. At that time there was no internet, public or private network. Hence, the only security threat was physical destruction of the systems. With the introduction of equipment automation and deregulation, SCADA systems needed to have some kind of interconnected network. The need for the remote connections to these control devices exposed the network to a completely new set of vulnerabilities [2].

4 1.2 SCADA System Components And Functions SCADA is a congregation of independent systems that measure and report in real time both local and geographically remote distributed processes. It is a combination of telemetry and data acquisition that enables a user to send commands to distant facilities and collect data from them. Telemetry is a technique used in transmitting and receiving data over a medium. Data acquisition is a method of collecting the data from the equipment being controlled and monitored. The layout and functions of the SCADA system is discussed in this section [3].

Figure 1-3: SCADA System Components [4] As shown in the figure 1-3, the fundamental components of the SCADA control system are the master terminal unit, communication network and the remote terminal units. The supervisory control and monitoring station, also called as the master terminal unit (MTU) consists of

5 engineering workstation, human machine interface, application servers, and communications router. The master terminal unit issues commands to distant facilities, gathers data from them, interacts with other systems in the corporate intranet for administrative purposes, and interfaces with human operators. The master terminal unit has full control on the distributed remote processes. Commands sent from the MTU to distant facilities can be done either manually using a human machine interface or by automation [4]. A human machine interface program runs on the master terminal unit computer. This basically consists of a diagram which mimics the whole plant, making it easier to identify with the real system. Every input/output point of the remote systems can be represented graphically with the current configuration parameters being displayed. Configuration parameters such as trip values and limits can be entered onto this interface. This information will be communicated through the network and downloaded onto the operating systems of the corresponding remote locations which would update all the values. A separate window with a list of alarms set up in the remote station network can also be displayed. The window displays the alarm tag name, description, value, trip point value, time, date and other important information. Trend graphs can also be displayed. These graphs show the behavior of a certain unit by logging values periodically and displaying it in a graph. If any abnormal behavior of the unit is seen then the appropriate actions can be taken at the right time [4]. The remote sites in figure 1-3 are known as field sites. The field site basically consists of so called field instrumentation, which are devices that are connected to the equipment or machines being controlled and monitored by the SCADA system. The devices include sensors to monitor certain parameters and actuators for controlling certain modules of the system. Other devices in the field sites are controllers, pulse generators etc [4].

6 These devices convert physical parameters to electrical signals which are readable by the remote station equipment. The outputs can be read in either analog or digital form. Generally voltage outputs have fixed levels like 0 to 5V, 0 to 10V etc. Voltage levels are transmitted when sensors are located close to the controllers and current levels are transmitted when they are located far from the controllers. Digital reading can be used to check if the system has been enabled or disabled i.e. in operation or out of operation. Actuators help in sending out commands to the equipment, i.e. turn on and off the equipment [4]. The field instrumentation we just described is interfaced with a controller called remote terminal unit (RTU) or programmable logic controller (PLC). Both of them basically consist of a computer controller which can be used for process manipulation at the remote site. They are interfaced with the communication system connected to the master terminal unit (MTU). The PLC has very good programmability features while RTUs have better interfaces to the communication lines. The advancement in this area is the merging of PLC and RTU to exploit both the features. Hence the overall function of this architecture is that the MTU communicates with one or more remote RTUs by sending requests for information that those RTUs gather from devices, or instructions to take an action such as open and close valves, turn switches on and off, etc [4]. An intelligent electronic device (IED) is a protective relay and communicates with the remote terminal unit. A number of IEDs can be connected to the RTU. They are all polled and data is collected. IEDs also have a direct interface to control and monitor sensory equipment. IEDs have local programming thats allows it to act without commands from the control center. This makes the RTU more automated and even the amount of communication with the MTU is reduced [4]. Communication medium used between MTU and RTU vary from wired networks such as public switched telephone network to using wireless or radio networks. The MTU and the administrative systems are connected in a LAN (Local Area Network). In the communication medium between

7 MTU and RTU, the most commonly used protocols are distributed network protocol (DNP3) and Modbus. DNP3 is an open standard and a relatively new protocol. The older systems use the Modbus protocol. DNP3 and Modbus have been adopted by a number of vendors which support the SCADA system. Both the DNP3 and Modbus protocols have been extended to be carried over TCP/IP. Also connected to the control system discussed above, is an enterprise network. This connectivity provides decision makers with access to real time information and allowing engineers to monitor and control the control system [4]. The above architecture has number of vulnerabilities. The MTU and RTUs are connected via internet, public switched telephone network (PSTN), cable or wireless. The most common security issue in all the above communication networks is eavesdropping. Wireless and internet are prone to replay attacks, denial of service attacks etc. Outside vendors, consumers, and business partners can carry out attacks on this architecture since they are connected to the enterprise network through internet connection shown in figure 1-3. Hence, these entities have indirect access to the MTU since the enterprise network is connected to the control system. Remote stations have communication interface which allows field operators to communicate via wireless protocol or remote modem to perform maintenance operations. These operations are done using handheld devices. When an unauthorized person gets access to this handheld device, they could cause harm to the system. There are several more security issues in this architecture and will be covered in this project [4]. 1.3 Literature Review In this section, we discuss work done on SCADA systems by other organizations and various ways in which they are looking at security issues. Critical infrastructure protection is of prime importance since it directly affects the citizens. Department of Homeland Security (DHS) is responsible for infrastructure protection [5]. Two

8 security programs, Control Systems Security Program (CSSP) of the National Cyber Security Division (NCSD) were formed by the DHS. Their main task was identifying, analyzing, and reducing cyber risks in control systems. The Idaho National Engineering and Environmental Laboratory (INEEL) along with Sandia National laboratory have created a SCADA test bed. The test bed consists of functional power grid and wireless test bed. The test bed is used to validate all the developed protocols before deploying into the real environment. The center for SCADA security has been formed in Sandia National Laboratory where research, training, red teams, and standards development takes place. Researchers at Sandia recently developed and published a SCADA Security Policy Framework [6] which ensures all critical topics have been adequately addressed by specific policy. Standard bodies such as NIST (National Institute for Standards and Technology), and NERC (North American Electric Reliability Council) also work in addressing the control system security. NERC has finalized cyber security standards [7] that will establish the requirements for security management programs, electronic and physical protection, incident reporting, and recovery plans, and the National Institute of Standards and Technology (NIST) through its Process Control Security Requirements Forum (PCSRF) has defined a set of common security requirements for existing and new control systems for various industries [8] [9]. Process control system forum (PCSF) founded in February 2005 has a mission to accelerate the design, development, and deployment of more secure control and legacy systems that are crucial to securing critical infrastructures. Many more organizations carry out lot of research work on security SCADA systems. This project covers present and potential security issues in the SCADA system. It also discusses few countermeasures which have been verified on the test bed developed by the some of the above organizations [5].

9 1.4 Conclusion SCADA architecture facilitates the smart grid to meet its goals in a number of ways. For instance, suppose the power requirements of industrial area is at its peak during the daytime and not so much during the night time. In this case the utility can communicate to the SCADA network in the power generation units to reduce the amount of power generated during down times. This results in better utilization of power, reduction of the greenhouse effects and the carbon content in the environment. Because hackers and disgruntled employees can also send such a signal to the SCADA network, potentially causing instabilities in the power grid or send false signals, it is important to research on the security issues in SCADA architecture so that it can be corrected. The core of this project is to understand the SCADA architecture and find the current and potential security vulnerabilities. The project also covers the counter measure techniques that can be applied to combat these security issues. Research issues that still need to be explored are also discussed in this project. Chapter 2 describes the requirements in a SCADA system and the threats to SCADA system. Chapter 3 discusses about the master terminal unit and remote terminal unit security issues and countermeasures. Chapter 4 and 5 discuss security issues and countermeasures for DNP3 and Modbus communication protocols. Chapter 6 discusses the research issues that still need more work on in order to provide good security. Chapter 7 gives the conclusion, strengths, weaknesses and future work.

10

Chapter 2

SCADA SYSTEM REQUIREMENTS AND THREATS This chapter discusses the various requirements of a SCADA system that need to be satisfied while developing security solutions. The threats faced by the SCADA system are also listed in this chapter. 2.1 Requirements In A SCADA System In order to find the security concerns in the present SCADA system and also develop security measures it is important to learn about the requirements in a SCADA system [10]. The following is a list of considerations when looking into the security of SCADA system 1. Some sections in the SCADA network are time critical systems. They can have an acceptable amount of delay and jitter but if they are not met it might hamper the operation of the network. Also few sections in the architecture need deterministic inputs. An example of deterministic system is digital systems which can have input values of only 0 or 1 i.e. turn on or off the system. These performance requirements are highly important for the normal operation of the network [10]. 2. The availability SCADA system is extremely important. They should be available in a timely manner so that it doesnt hamper the processes which are continuous in nature. Unexpected outages of these systems are not acceptable in the industrial control system. Reason being it will cause a chain reaction and disturb a whole set of operating processes and can bring down the system. In order to make sure that such an incident doesnt occur, it is important to carry out the pre-deployment testing essential to ensure high availability of the system. When unexpected outages occur, many control systems cannot be easily stopped and started without affecting production. In some cases, the products being

11 produced or equipment being used is more important than the information being relayed. Therefore, strategies like rebooting the system would not be acceptable in few situations because it may adversely affect the requirements of high availability, reliability and maintainability of the SCADA system. One way to solve this is to have redundant components installed and running in parallel, so that it will provide continuity when some of the primary components are unavailable. Another advantage of this strategy is that updating and maintaining the primary system can also be carried out since redundant system can take over their functionalities for a period of time [10]. 3. One of the most important requirements in any industrial system is managing risk. Human or personnel safety is of primary importance. Safety and fault tolerance would be essential to prevent loss of life, endangerment of public health or confidence, loss of equipment, loss of intellectual property, damage of products. Complying with regulatory terms and conditions would help to satisfy the above concerns to a great extent. Also the personnel who operate and maintain the SCADA system must understand the link between safety and security. The personnel need to understand when security can be compromised in order to provide safety [10]. 4. In some architectures such as IT system it is important to protect the information whether it is stored centrally or distributed. But in a SCADA system information that is stored and processed centrally is more critical and needs more protection. For example information stored in remote devices such as PLC, RTU are also important since they are directly responsible for controlling the end processes. At the same time it is also equally important to secure a SCADA systems central server because if it were compromised, it would affect the edge devices also [10].

12 5. if it were compromised, it would affect the edge devices also.SCADA system comprises of many complex interactions and these translate into physical events. Consequently, all security functions integrated into the SCADA must be tested (e.g., off-line on a comparable SCADA) to prove that they do not compromise normal SCADA functionality [10]. 6. Time critical responses on a SCADA system should be handled carefully. Requirement of password authentication on the human machine interface might interfere with the actions needed to be taken, for instance, during emergencies. At the same time information flow must not be interrupted or compromised. Because of that access to these systems should mainly be restricted by physical security controls [10]. 7. There are a lot of resource constraints in SCADA systems. Real time operating systems are often constrained systems. This results in difficulty to add lots of security features into the system i.e. they have limited computational and memory resources. Since retrofitting the new security capabilities will eat away the resources and might slow down the systems thereby not satisfying the requirement of time criticality. Another concern is that third party security solutions when introduced into the SCADA architecture might clash with the vendor license agreement and hence result in loss of support for that equipment from that vendor [10]. 8. Maintaining the integrity of the SCADA system is of paramount importance. For e.g. unpatched software represents one of the greatest vulnerabilities to a system. Because of the nature of SCADA system, it is very hard to update the software regularly. There are a number of steps that need to be carried before the update can be done on the system. Thorough testing of updates needs to be done in an environment which can emulate the industrial process system. Backup systems can be configured so that it can replace the

13 primary systems during these updates. Revalidation of the updates must be carried out before deploying it into the network. Sometimes there might be a case where the operating system might no longer be supported by the vendor; hence patches may not be useful for such systems. These updates on systems are also applicable to firmware and hardware. This is one of the examples where integrity of the system might be compromised. Hence this change in the management of the system must be thoroughly assessed by engineers who have expertise in those areas before applied [10]. 9. The lifetime of the components used in SCADA is often in the order of 15-20 years. Also the technology used here has been developed for very specific use. Hence when adding security features care should be taken to ensure they remain effective and are available over the entire lifetime of operation of the components [10].

2.2 Threats To SCADA Network There are a number of threats to the SCADA network that can be classified into the following categories [10]. Attackers: Attackers break into the network not to cause intentional harm but to explore their hacking capabilities. There are attack scripts available on the internet for free and can be used to attack the network. Hence even if the attacker does not have significant amount of knowledge or skill, their actions can cause relative harm to the network. This will not be harmful to the network if one person or few persons do it. However harm is more likely when a large number of people are involved in hacking it. Also attacks tools are readily available and have become so easy to use they pose a significant amount threat to the SCADA network. It can cause brief disruption in the normal operation and result in serious damage [10].

14 Criminal Groups: The main motive of these threat groups is to attain monetary gain by attacking the system. They can setup attack scenarios which can take over multiple systems to coordinate attacks and distribute phishing schemes, spam and malware on them. This can be used to cause identity theft and online fraud. There are a number of organizations formed which consists of trained attackers in order to conduct industrial espionage resulting in large scale monetary theft [10]. Foreign intelligence services: The main motive of these organizations to collect secret information. They can use various cyber tools in order to carry out their spying activities and hence gather information. Several nations are developing information warfare doctrines, programs and capabilities. These capabilities can have a serious impact by disrupting communication and causing economic harm to the nation which is being attacked [10]. Insiders: Insiders are people who work in the SCADA environment and can cause harm. Insiders can be employees, vendors or contractors, a principal source of computer crime. Even though they might not have in depth knowledge of the system, they have unrestricted access to the system which allows them to steal data and hence cause damage. Another way in which harm can be caused is when certain system maintenance is outsourced to a third party vendor and people from that company have access to these systems. If their understanding about the system is incomplete they can introduce malware into the system accidently. Impacts can range from trivial to very severe damage [10]. Phishers, Spammers, Spyware/malware authors: Phishers try to steal the identities or information which can be used to cause harm to the network. Spammers are people who distribute unsolicited email with hidden malicious code or false information. Viruses and

15 worms which are spread in the network and cause harm to files and hard drives can result in very serious impact [10]. Terrorist Groups: These groups can cause harm to such large extent that it can result in disrupting the daily life of people. They seek to destroy, incapacitate, or exploit the network in order to threaten the national security, cause deaths, weaken the economy, and to damage public morale and confidence. They use strategies such as causing harm on one system so that attention can be diverted and then cause harm on other systems which are not concentrated on during that time [10].

16

Chapter 3 MASTER TERMINAL UNIT AND REMOTE TERMINAL UNIT VULNERABILITIES AND COUNTERMEASURES

3.1 Introduction SCADA system works with the corporate environment though it was originally designed to operate as an individual unit. The core intention of the control system design is efficiency and security. Another commonly observed activity with SCADA providers is the remote accesses to perform routine maintenance jobs. Communication protocols of the SCADA are designed with minimal security features. These above mentioned design and behavioral patterns are reasons for the security weakness of the SCADA system. These vulnerabilities in a critical infrastructure make it very susceptive to cyber attacks. Adversaries would be able to identify these vulnerabilities and execute attacks. The effects of those attacks and their consequences are discussed further below [10]. Physical impacts: Physical impacts consist of direct consequences of SCADA disoperation. The potential effects of paramount importance include personal injury or loss of life. Other effects include the loss of property (including data) or damage to the environment. Economics impacts: Economics impacts follow a physical impact from a cyber intrusion. The ripple effect of physical impact could in turn cause a severe economic loss on the facility or companies. Bigger impact of this would be negative effect on the local, national or even the global economy.

17 Social impact: The consequence of physical and economic damage would be loss of public confidence and national confidence in the organization. This is generally overlooked, however its a very real target and one that can be accomplished through cyber attacks. Social impacts may possibly lead to heavily depressed public confidence or the rise of popular extremism.

Because of the prevalent security threats and the corresponding magnitude of the consequence, various organizations are carrying out study and research to combat attacks on the SCADA. The intention is also to make a more secure SCADA system for future. In the following sections, the master terminal unit and remote terminal unit platform vulnerabilities will be discussed. Additionally, how these loop holes are being introduced and the effects on exploiting them are covered here.

3.2 Vulnerabilities In The SCADA System Figure 3-1 shows the security vulnerabilities pattern from 1995 to first half of 2003. The exponential increase in vulnerabilities is due to the increased accessibility of the SCADA system to the outside world [4].

18

Figure 3-1: Security Vulnerabilities Pattern [4] Source: GAO analysis based on Carnegie-Mellon Universitys CERT Coordination Center data

A general misconception about the SCADA system is The SCADA system resides on a physically separate, standalone network. [11] Historically, most of the SCADA systems were built before the other components of the network and it was separate from the rest of the network as well, this has lead the IT managers to believe that these systems cannot be accessed from corporate network or from the remote access point. Unfortunately, this belief is usually fallacious. In reality the scenario is quite different, the SCADA network and the corporate networks are more often bridged (Figure 1-3) due to recent changes in the information management practices. The two changes that play key role are discussed in detail below The first change is the growing demand for remote access computing which has encouraged many utilities to establish connections to the SCADA system that enables the SCADA engineers to remotely monitor and control the system from points on the corporate network [11].

19 The second main reason is information access to assist corporate decision. Many utilities have allowed corporate connections to the SCADA systems, as it would make instant access to critical information and operational status easier for the higher management and corporate decision making processes [11].

The second false belief that is at large about the SCADA system is Connection between SCADA systems and other corporate networks are protected by strong access control. [11] Many of the interconnections between corporate networks and SCADA systems require the integration of systems with different communications standards. This results in an infrastructure that is

engineered to move data successfully between two unique systems. Complexity arising from integrating disparate systems overshadows the need to address the security risks that accompany such network arrangements. As a result, access controls designed to protect SCADA systems from unauthorized access through corporate networks are usually minimal, which is mainly due the fact that the network managers often overlook key access points connecting these networks. Strategic use of internal firewalls and intrusion detection systems (IDS), coupled with strong password protection, is highly recommended [11]. The third misconception is SCADA systems require specialized knowledge, making it difficult for the network intruders to access and control the SCADA system. [11] The reason behind this misconception is an assumption that the intruders need to possess in-depth knowledge about the SCADA design and implementation. These assumptions are inappropriate in the current utility environment which is highly interconnected and vulnerable to cyber attacks. The figure 3-2 below shows the highly interconnected SCADA network.

20

Figure 3-2 : Interconnected SCADA Network [33] Utility companies being the one of the key components of the nations critical infrastructure is a hot target for cyber terrorists as opposed to disorganized hackers. These attackers are highly motivated, well-funded and may very well have insider knowledge about the system. Further, a well equipped attacker with a sole intention to disrupt of operation of the SCADA will gain a detailed understanding of the SCADA and its vulnerabilities by any means. The following sections list the various vulnerabilities of the SCADA system. Some of the listed ones are which are already present in the SCADA system while some are potential vulnerabilities. The table 3-1 lists all the vulnerabilities and show if they are already present in the system or are potential vulnerabilities.

21 Vulnerability Potential/ Currently present in SCADA system Public Information Availability Policy and Procedure vulnerabilities Platform Configuration vulnerabilities Present Vulnerability Potential Vulnerability Potential Vulnerability

Table 3-1: List Of Potential And Present Vulnerabilities In MTU And RTUs 3.2.1 Public Information Availability Often, too much information about a utility company corporate network is easily available through routine public queries. This information can be used to initiate a more focused attack against the network [11]. Examples of this vulnerability are listed below: Websites often provide data useful to network intruders about company structure, employee names, e-mail addresses, and even corporate network system names Domain name service (DNS) servers permit zone transfers providing IP addresses, server names, and e-mail information The availability of this infrastructure and vulnerability data was demonstrated earlier this year by a George Mason University graduate student, whose dissertation reportedly mapped every business and industrial sector in the American economy to the fiber optic network that connects themusing material that was available publicly on the Internet, none of which was classified [4]. Many of the electric utility officials who were interviewed for the National Security Telecommunications Advisory Committees Information Assurance Task Forces Electric Power

22 Risk Assessment expressed concern over the amount of information about their infrastructure that is readily available to the public. In the electric power industry, open sources of informationsuch as product data and educational videotapes from engineering associations can be used to understand SCADA of the electrical grid. Other publicly available informationincluding filings of the Federal Energy Regulatory Commission (FERC), industry publications, maps, and material available on the Internet is sufficient to allow someone to identify the most heavily loaded transmission lines and the most critical substations in the power grid [11]. In addition, significant information on control systems is publicly available including design and maintenance documents, technical standards for the interconnection of control systems and RTUs, and standards for communication among control devicesall of which could assist hackers in understanding the systems and how to attack them. Moreover, there are numerous former employees, vendors, support contractors, and other end users of the same equipment worldwide with inside knowledge of the operation of control systems [11].

3.2.2 Policy And Procedure Vulnerabilities Some of the potential vulnerabilities in the SCADA system as discussed by NIST (National Institute of Standards and Technology) in one of its papers pr esented on Guide to Industrial Control Systems Securities have been listed below [10]

1. Inadequate security policy for the SCADA: Vulnerabilities are often introduced into SCADA due to inadequate policies or the lack of policies specifically for control system security [10].

23 2. No specific or documented security procedures were developed from the security policy for the SCADA: Specific security procedures should be developed and employees trained for the SCADA. They are the roots of a sound security program [10].

3. Absent or deficient SCADA equipment implementation guidelines: Equipment implementation guidelines should be kept up to date and readily available. These guidelines are an integral part of security procedures in the event of an SCADA malfunction [10].

4. Lack of administrative mechanisms for security enforcement: Staff responsible for enforcing security should be held accountable for administering documented security policies and procedures [10].

5. No formal SCADA security training and awareness program: A documented formal security training and awareness program is designed to keep staff up to date on organizational security policies and procedures as well as industry cyber security standards and recommended practices. Without training on specific SCADA policies and procedures, staff cannot be expected to maintain a secure SCADA environment [10].

6. Inadequate security architecture and design: Control engineers have historically had minimal training in security and until relatively recently vendors have not included security features in their products [10].

24 7. Few or no security audits on the SCADA: Independent security audits should review and examine a systems records and activities to determine the adequacy of system controls and ensure compliance with established SCADA security policy and procedures. Audits should also be used to detect breaches in SCADA security services and recommend changes, which may include making existing security controls more robust and/or adding new security controls [10].

8. No SCADA specific continuity of operations or disaster recovery plan (DRP): A DRP should be prepared, tested and available in the event of a major hardware or software failure or destruction of facilities. Lack of a specific DRP for the SCADA could lead to extended downtimes and production loss [10].

9. Lack of SCADA specific configuration change management: A process for controlling modifications to hardware, firmware, software, and documentation should be implemented to ensure an SCADA is protected against inadequate or improper modifications before, during, and after system implementation. A lack of configuration change management procedures can lead to security oversights, exposures, and risks [10].

3.2.3 Platform Vulnerabilities 3.2.3.1 Platform Configuration Vulnerabilities Earlier SCADA hardware, software, and network protocols were proprietary and not made publicly accessible, making it more difficult for the hackers to attack the system as they did not have knowledge about the system. However with growing competition and drive to perform better and reduce cost has led organizations to make a transition from proprietary systems to

25 standardized technologies such as Microsofts windows, UNIX operating systems and common networking protocols used by the internet. As a consequence of using standardized solutions, we have increased number of people with knowledge to wage attacks. The following is list of vulnerabilities that could be potential threats to SCADA platform configuration [10]. 3.2.3.1.1 Operating System Related Vulnerabilities Since standard operating systems can be used off the shelf, it is a viable solution for the organizations in terms of cost. However, there are numerous vulnerabilities associated with these standard operating systems. Customized operating system is needed to meet the complexity of the SCADA system. Developing patches to the standard operating system in order to meet SCADA requirements might take a considerable amount of time. The period, during which the patch development is taking place, the SCADA system with just the standard OS is prone to attacks. These patches must go through exhaustive testing before they are deployed in the system, else they will compromise the normal operation of the SCADA. Critical configurations are not stored or backed up. Therefore in case of an emergency or outages these systems cannot be restored with same secured configurations [10].

3.2.3.1.2 Password Related Vulnerabilities The common password vulnerabilities (some might not apply to SCADA) are lack of adequate password policy, password disclosure, password guessing. Password policies define when passwords need to be used, how strong they must be and how they must be maintained. Password disclosure relates to passwords being kept confidential. Password guessing relates to the vulnerabilities introduced into the system when poorly chosen passwords are used. Some of the above might be potential vulnerabilities in the SCADA system. For e.g. if systems do not have appropriate passwords then they could provide unauthorized access to the system.

26 Therefore a password policy is required. Some of the potential vulnerabilities in SCADA system with respect to password disclosure are usage of unencrypted passwords and sharing passwords. The policy should make sure that the passwords maintain their confidentiality [10]. Potential vulnerabilities can also be introduced into the system when passwords are poorly chosen, usage of default password, and passwords that are not changed over a period of time. Passwords must be implemented on all SCADA components but at the same time should ensure that password authentication does not hamper emergency actions [10]. Some of the methods to combat these issues are with the usage of biometrics which will authenticate the personnel with retinal scanning, finger print scanning, voice recognition etc. If all these critical systems were kept in a particular secure enclosure installed with equipped with cameras and video surveillance could track all the activities [10].

3.2.3.1.3 Access Control Related Vulnerabilities Inadequately specified access control would result in SCADA user having too many or too few privileges. The following exemplify each case: Consider a system that is configured to default access control settings, this gives any operator the system administrative privileges. Second scenario would be a system, which is improperly configured, could leave an operator with not enough access rights to take corrective actions under emergencies [10].

3.2.3.2 Platform Software Vulnerabilities 3.2.3.2.1 Denial Of Service Cyber-attacks that are based on denial of service (DoS) mechanisms, and others that spread due to viruses and worms by causing a traffic avalanche in short durations, can potentially bring down systems and cause a disruption of services and are known as Flood-based Cyber Attack Types.

27 There is no well-known, fool-proof, defense against such cyber attacks in the computing literature. Various effective ad- hoc solutions have been adopted on traditional computer networks. If the access links that connect the SCADA network to the Internet are swamped by heavy traffic caused by such attacks, it could prove disastrous as the control and supervisory data (including alarms, IED data) flowing to the SCADA network could be lost in the network. The gateway or firewalls installed to monitor the incoming traffic could be overloaded by the large volumes of attack traffic. Thus the ability of the SCADA network to respond to actual failures can be significantly affected. Also, the traffic flood could contain malicious messages that could confuse the SCADA systems to a great extent [13].

3.2.3.2.2 Malware Protection Definitions Not Current And Implemented Without Exhausting Testing The presence of malicious software can result in system performance degradation, loss of vital data and system dysfunctional behaviors [10]. The above issues can be avoided by the installation of anti malware. But when this anti virus software is outdated or not thoroughly tested then same software would cause more damage than protect the system. The reason is that the same vulnerabilities are again present in the system but at the same time gives the operator a false sense of security and therefore keeping him unaware of the problem. The SCADA operator will reside under the confidence that anti virus is operational and is protecting the system.

3.3 Countermeasures For MTU And RTU Security Issues As discussed in the previous section (specify section), the security issues in the master terminal unit and remote stations lie mostly within the platform and policy. In this chapter we discuss various ways to overcome these security issues.

28

3.3.1 Counter measures For Policy And Procedure Vulnerabilities Figure 3-3 is used to implement the security policies and procedure. The structure encompasses all the security features that need to be covered in a security policy [12].

Figure 3-3: Basic Functions Of SCADA Security Policy [12] Each block in the above chart and their functionality is described below. Detail documented list of the overall security architecture of a system is in a security plan. Some areas covered in the security plan are policies and procedures for operational security, user and data authentication, backup policies etc. The implementation guide details on how the above security plans needs to be implemented, where are all the relevant areas in the entire architecture, where it needs to be implemented etc. Configuration management will include all the configuration details listed for every equipment and all the relevant security policies that apply to them. Enforcement and auditing makes sure that security policies, plan and implementation for each of the equipment is done correctly and also maintained correctly [12]. 3.3.2 Regular Vulnerability Assessments

29 All the SCADA equipment has to be regularly assessed to check and see if there is an abnormal operations taking place. These assessments must be done in a regular basis and should be recurring. Along with the operational units, the other components of SCADA like the corporate network, data base servers, local desktop computers used for customer management should be assessed so that any unseen security gaps in this system can be overcome and increase protection [13]. 3.3.3 Expert Information Security Architecture Design There are best practices that can be used to overcome most the security issues in the network. Also a number of new technologies have been developed to combat vulnerabilities such as malware attacks, unauthorized access to system. When these are installed into the system the configuration should be such that there are no gaps. If they are not configured correctly then it would not help to solve the issue. If the solution selected is not relevant to the security issue that needs to be solved then it would be a waste in investment. In order to minimize these risks the utility companies much hire security experts who can understand the architecture of the network and propose solutions that exactly overcome the loop hole and does not introduce newer security issues [13].

3.3.4 Implement The Security Features Provided By Device And System Vendors Older SCADA networks did not have many security features to protect the system. The utility companies which own the SCADA networks must ask the vendor to provide security patches to the existing and system and also produce newer system with enhanced security features. Also factory default security features should not be used because their intent is to provide excellent usability and provide the minimum amount of security. When the default settings are being

30 changed and are not set to its maximum security limits, a thorough risk assessment must be done before those levels are fixed [13].

3.3.5 Establish Strong Controls Over Any Medium That Is Used As A Backdoor Into The SCADA Network Strong authentication must be implemented to ensure secure communications where backdoors vendor connections exist in SCADA system. Modems, wireless and wired networks used for communications and maintenance represent a significant vulnerability to the SCADA network and remote sites. Sending false packets from the enterprise network can attack SCADA system if the SCADA system does not authenticate the packet. It needs to check if the packet is from a authenticate source and only then process the packet [13]. Authentication methods such as challenge response, hashing algorithms and digital signatures can be used. The various authentication methods for communication protocols are discussed in chapter 4 and 5.

3.3.6 Implement Internal And External Intrusion Detection Systems And Establish 24-hour-a-day Incident Monitoring When abnormal sequence of events takes place on the SCADA network there must be some way to inform the network administrators about this activity. This can be done by using intrusion detection mechanisms where 24 hours tracing of events on the network is recorded. When a security incident takes place either from internal or external sources then there should be techniques and procedures to immediately overcome them based on the level of damage it can cause. To complement network monitoring, enable logging on all systems and audit system logs daily to detect suspicious activity as soon as possible [11].

31 3.3.7 Conduct Physical Security Surveys And Assess All Remote Sites Connected To The SCADA Network Automated systems in the SCADA network are most susceptible to attacks since they are unmanned and unguarded. An inventory of all access points and carrying out physical security checks regularly will help to keep a check on any new security issues. Identify and assess any source of information including remote telephone/computer network/ fiber optic cables that could be tapped; radio and microwave links that are exploitable; computer terminals that could be accessed; and wireless local area network access points. Eliminate any points of failure. Prevent unauthorized access to the websites within the enterprise intranet since they provide access to the SCADA system [13].

3.3.8 Firewalls And Intrusion Detection System Threats to SCADA network can come from malicious attackers via the internet and hence it is important to monitor the traffic that flows into it. It is important that firewalls and other Intrusion Detection Systems (IDS) (figure 3-4) be installed at the various ingress points (gateways) of the SCADA network to identify malicious traffic before it is allowed to enter [14] [15]. This will filter out some of the attacks but not all. Hence more rigorous scheme needs to be implemented to overcome the attacks that still manage to flow through. Viruses and worms could swamp the systems with huge volumes of attack traffic. Just having only firewalls and IDS at entry points may not suffice. This leads to the concept of the electronic perimeter.

32

Figure 3-4: Firewall And Intrusion Detection System Implementation Between Enterprise And SCADA Control System [15]

3.3.9 Electronic Perimeter Traffic flowing from outside sources reaches the gateway where a firewall restricts malicious packets and allows the rest to flow through. The traffic that flows through might still have some malicious packets which could harm the system. Beyond this gateway there is not much filtering that takes place and hence it is important to define and electronic perimeter (figure 3-5) broader so that it filtering takes place once before data reaches the gateway [14]. This perimeter can be formed by multiple intrusion detection systems installed on a wider area. Huge volumes of traffic can be handled by an extended perimeter as it would be possible to stop the attacks further away from the SCADA network. This provides a number of advantages of providing an overlay

33 network in a more distributed and collaborative fashion. It also provides a barrier that always only legal traffic through.

Figure 3-5: Electronic Perimeter Implementation In SCADA System [31] 3.3.10 Domain-Specific IDS The above-mentioned methods i.e. intrusion detection systems installation and electronic perimeter make a baseline protection to provide normal system behavior. In addition, a perspective on an intrusion can be developed by analyzing emerging characteristics. SCADA data can be analyzed in order to look for such patterns. To identify these patterns it is important to have some basic knowledge which is domain specific and also associated with communication devices to construct an IDS attacks signature database. It would require intense analysis of the interconnected grid in order to identify the attack patterns and study them and then generate

34 signatures. However, once this is achieved, the observed behavior needs to be correlated to detect potential intrusions and filter the attack traffic [14]. Hence IDS with these signatures and the secure electronic perimeter can be made to work in a synchronized manner to combat the security issues posed by malware. 3.3.11 Creating Demilitarized Zones (DMZs) Demilitarized Zones created using firewalls can protect the SCADA network [33]. Multiple DMZs can be created to separate functionalities and access previleges such as peer to peer connections, the data historian, security servers, configurations servers etc. The figure 3-6 below shows the creation of DMZs.

Figure 3-6: Demilitarized Zones Architecture [33] All the connections can be routed through firewalls and administrators keep a diagram of the local area network and its connections to protected subnets, DMZs, the corporate network, and

35 the outside. Multiple demilitarized zones help from attacks such as virtual LAN hopping, trust exploitation. Brings in a better security posture [33]. 3.3.12 Low Latency And High Integrity Security Solution Using Bump In The Wire Technology For Legacy SCADA Systems The legacy SCADA systems, deployed without security in mind, are vulnerable to sniffing and tampering issues today. The risk is increasing because security through obscurity is failing to protect the system. Achieving security requires a solution, which can retrofit into the legacy SCADA system. One such solution is Yet Another SecurIty Retrofit (YASIR) which is a bump in the wire (BITW) solution for retrofitting security to time-critical communications in serialbased SCADA systems [32]. The goals are to provide high security, low latency, at comparable cost and using standard and patent free tools.

Figure 3-7: Model For Bump In The Wire Approach [32] In the figure 3-7, the function of device denoted as S applied on message M which results in frame F. At the receiving end the function of device denoted as D is applied on the message received F. The output of the SCADA device D is a message or error. Device D takes a frame F as input and output an error, if F fails to pass certain conformance checks such as the randomerror detection, or else the corresponding original message M. Ideally, i.e. without the

36 introduction of errors in the communication link the output from SCADA device D would be D (F) = D (F) = D(S (M)) = M. BITW solution adds to more modules i.e. transmitter T and receiver R. Output from the transmitter over the insecure link would be T (F) = F~. Receiver R modeled as a function R that takes in a transformed frame F~ and outputs either an error, or the corresponding original frame F to be given to D. If no error was introduced into F~ then R(F~) = R(F~) = R(T(F)) = F because F~ = F~. This provides data authenticity and discards messages from replay attacks. The design of transmitter and receiver in YASIR approach is as follows. The transmitter applies the encryption algorithm AES-CTR-128 on the frame F thereby providing confidentiality and integrity for the message. Then a time stamp and a unique sequence number is appended to the message for data authenticity and freshness. This solution also provides low latency by using the AES-CTR algorithm. The transmitter relies on the stream nature of the AES-CTR. As and when each byte of the frame F comes in, it will apply the encryption. There is an internal counter, which keeps a count of every 4 bytes in frame F. Once whole message is received it will use the HMAC on the cipher text and internal counter. An iterative HMAC function is used which reduces the storage requirements and has lesser latency [32]. The steps are shown below. 1. Input frame F = s||H||P||e , s and e are special symbols indicating the start and end of frame. H is the header and P is payload. 2. CTXT = ENCRYPT (ctrT, H||P), ENCRYPTek is AES-CTR-128, ctrT is the counter. 3. MAC = HMAC (ctrT ||CTXT), CTXT is cipher text from step 2 and HMAC is HMAC-SHA1-96. 4. SEQ = ctrT, SEQ is the sequence number.

37 Therefore, there is not much delay except for time needed to decode symbols and frame boundaries. The transmitter design is as follows. The input frame is decrypted and hash is calculated. The steps are 1. MAC = HMAC(ctrR||CTXT), 2. H'||P = ENCRYPT(ctrR,CTXT), 3. If MAC = MAC then output the frame F = s||H||P||e. and increment ctrR by 1. 4. If the calculated hash value does not match then report an error. The figure 3-8 below describes the above steps with respect to latency. Shaded boxes indicate values computed by the YASIR components. As shown in the figure in the receiver end the frame structures are different for type I and type II protocols. Type I protocols are those which do not have header information like Modbus. Type II protocols are those which have header information [32].

Figure 3-8: (a) YASIR Transmitter (b) Communication Link (c) YASIR Receiver. [32]

38 The above solution has to be tested in a real deployment of SCADA system and development of a cost effective FPGA is underway [32].

39

Chapter 4 DISTRIBUTED NETWORK PROTOCOL 3 VULNERABILTIES AND COUNTERMEASURES

4.1 Introduction To SCADA Communication Network In this chapter we now concentrate on how vulnerabilities are introduced in the SCADA architecture from the communication perspective. The MTU and RTU use communication medium ranging form wired medium to Wireless mediums. The protocols used for these communications are discussed in this chapter. The protocol structures, vulnerabilities present in the protocol and the countermeasures for each are discussed in the chapters 4, 5. Development of SCADA architecture dates back to the 1900s when telemetry was introduced. Telemetry involves the transmission and collection of data obtained by real time sensing applications. As discussed in the introduction chapter, the basic architecture of SCADA consists of receiving the data collected in the remote stations to the central processing station. The master computers (MTUs) provide the information such as meter readings and equipment status to human operators in a presentable form and allow the human operators to control the field equipments or control devices automatically. The MTU initiates almost all communication with remote sites [16]. The master terminal units basically consisted of mainframe computers which would present the data to the human operator and they have to make the decisions to carry out the next steps. The older SCADA networks were built to provide reliability and operability. Hence the MTU would send commands over a 1200 baud communication line and the function of the RTU was to only

40 execute the command and sense the new data and send it back to the MTU. The RTU units had no local intelligence and hence just served the master [16]. With the advent of new communication technologies and communication medium the slower communication channels in the older networks were starting to get replaced with the new technologies. Hence getting rid of the slower communication lines and making the RTU more intelligent increased SCADA networks overall processing power. The RTU was made more intelligent with the introduction of the IED (intelligent electronic devices). IEDs are capable of autonomously executing simple logic processes without involving the master computer. Hence the RTU devices would provide a number of functionalities locally e.g. system protection (say, from power surges), local operation capabilities, and data gathering/concentration from other subsystems. The figure 4-1 gives an insight into the modern SCADA architecture [16]

Figure 4-1: Modern SCADA Communication Architecture [16]

41 The misconception of SCADA network managers that the SCADA system cannot be accessed via the corporate network was proved wrong with the introduction of the modern SCADA architecture. The figure 4-1 also shows that the field data (obtained using RTUs and IEDs) is transmitted over a wide range of communication lines and can even be accessed via a web browser to SCADA users. Communication between various units in the architecture use Ethernet or the internet technology. Hence they introduced the vulnerabilities which were inherent in desktop computers on corporate networks [16].

4.2 Some General Vulnerabilities In SCADA Network SCADA network infrastructure has been ever growing with modifications being introduced very often to satisfy business and operational requirements. During this time there was very little importance given to the security gaps introduced into the network. If these gaps are not filled, then they could result in compromising the SCADA architecture to a number of attacks. It is important to have a network architecture design which can differentiate between or segment the networks into corporate, internet and SCADA network. It should not be so weak that if there is an attack on the internet part of the architecture then it would affect and hence compromise the SCADA network [16]. Some common architectural weaknesses are introduced when

1. The configuration of the web and email servers are not done correctly and hence unnecessarily provides internal corporate access. 2. Firewall protection, Intrusion detection system, Virtual Private Network not used when connecting to the network of the corporate partners 3. Dial-up modem access is authorized unnecessarily and maintenance dial-ups often fail to implement corporate dial access policies

42

When the SCADA system fails, there should be backup devices which can be used to restore the functions of SCADA. By bringing the system back into operation system availability is not hampered and hence preventing loss of data. There should be documentation of all these procedures so that it would be easier to use the backup systems in case of failure of primary systems in emergency situations [16].

There are number insecure connections in the SCADA network e.g. ports used for maintenance of SCADA system, examination of the SCADA system, obtaining remote access to the system etc. Since these links are unprotected with the absence of authentication or encryption it is highly susceptible to attacks and hence results in compromise of the integrity of data transmitted [16].

4.3 SCADA Communication Protocols The SCADA systems are built using public or proprietary communication protocols which are used for communicating between an MTU and one or more RTUs. The SCADA protocols provide transmission specifications to interconnect substation computers, RTUs, IEDs, and the master station. The two most common protocols used are: DNP3 (Distributed Network Protocol version 3.0) Modbus

4.4 DNP3 Protocol 4.4.1 Introduction To DNP3 Protocol DNP3 or Distributed Network Protocol Version 3.3 is a telecommunications standard that defines communications between master stations, remote telemetry units (RTUs) and other intelligent

43 electronic devices (IEDs). It was developed to achieve interoperability among systems in the electric utility [17]. DNP3 was created as a proprietary protocol by Harris Controls Division initially for use in the electrical utility industry. In November 1993 the protocol was made available for use by third parties by transferring its ownership to the DNP3 User Group. DNP3 was designed specifically for SCADA (supervisory control and data acquisition) applications. These involve acquisition of information and sending of control commands between physically separate computer devices. It is designed to transmit relatively small packets of data in a reliable manner [17]. A key feature of the DNP3 protocol is that it is an open protocol standard and it is one that has been adopted by a significant number of equipment manufacturers. The benefit of an open standard is that it provides for interoperability between equipment from different manufacturers. This means for example that a user can purchase system equipment such as a master station from one manufacturer, and be able to add RTU equipment sourced from another manufacturer. The RTU in turn may have a number of control relays connected to it which are intelligent electronic devices and also use the DNP3 protocol. All of this equipment may be sourced from different manufacturers, either in an initial installation, or progressively as the system is developed over time [17]. The following list presents features of DNP3 that provide benefits to the user [17]: Open standard Interoperability between multi-vendor devices A protocol that is supported by a large and increasing number of equipment manufacturers Layered architecture conforming to IEC enhanced performance architecture model Optimized for reliable and efficient SCADA communications

44 Supported by comprehensive implementation testing standards The ability to select from multiple vendors for future system expansion and modification 4.4.2 DNP3 Communication Modes DNP3 supports three simple communication modes between a control center (master unit) and outstation devices [18]. 1. Unicast transaction, the master sends a request to an addressed outstation device. The outstation device just responds with a reply message. E.g. the master will send a read message or write message to perform a control operation. The remote station either replies with the new read value or negative acknowledge for reads. For writes its either an acknowledgment or negative acknowledgement [18]. 2. Broadcast transaction, the master sends out a common message to all the remote stations and does not expect a reply to this message. E.g. of this kind of message is a write message which sets a certain limit in all the units in outstation device [18]. 3. Unsolicited responses from the outstation devices are obtained on a periodic basis. These are basically giving the status information of the outstation device. They can also be used for alarming i.e. when a certain limit is exceeded [18]. 4.4.3 DNP3 Network Configurations The DNP3 protocol supports a number of network configurations. The figure 4-2 below shows the most common configurations described as follows [18] 1. One-on-one configuration: Here one master and one device share a single line connection. This is like a dedicated line between the two devices e.g. dial up telephone line [18].

45 2. Multi-drop configuration: This is the most popular configuration where one master connects to multiple outstations. Every outstation receives every request from the master, but each outstation only responds to messages addressed to it [18]. 3. Hierarchical configuration: A device acts as an outstation device in one segment and a master in another segment and hence is a dual purpose device. Also called as the sub master [18].

Figure 4-2:DNP3 Network Configurations [18] DNP3 protocol which was based out of the OSI model these problems were overcome. DNP3 is designed to incorporate multiple protocol layers. A three-layer Enhanced Performance Architecture (EPA) was created by eliminating superfluous layers (from the point of view of SCADA systems) from the seven-layer OSI model [17] [18]. But there was a drawback of this design. The application layer did not allow messages larger than the data link frame and

46 hence a new layer called as the pseudo transport layer was introduced which overcame this issue.

Figure 4-3 :Design Progression From OSI To DNP3 [18] The DNP3 protocol layers are stacked on top of a physical layer, which is responsible for transmitting messages over physical media such as radio, satellite, copper and fiber. The physical layer specification determines the electrical settings, voltage and timing, along with other properties necessary to send signals between devices. The physical layer provides five services: (i) send data, (ii) receive data, (iii) connect, (iv) disconnect, and (v) status update. Note that the physical layer is shaded in because it is not specified in the DNP3 standard [18]. DNP3 in the older SCADA networks was transmitted over serial links. But in the more modern SCADA networks use the IP system. The 3 layers of the DNP3 protocol are placed over the TCP/IP layers in the protocol stack [18].

4.4.4 DNP3 Data Link Layer The functionality of the data link layer is to maintain a reliable logical link between devices in order to transfer frames in an ordered fashion [18]. Data link packet consists of two parts. A 10 byte fixed header and a data payload section. The data payload is passed down by the above two

47 layers i.e. pseudo transport layer and the application layer. The length field gives the number of bytes in the rest of the frame other than the CRC. The maximum length of the data section without CRC is 250 bytes (282 bytes including 16-bit CRC fields for every 16 bytes of data). Thus, the maximum length of a data link frame is 292 bytes [18]. The data link layer frame format is as described in the figure 4-4 below.

Figure 4-4:DNP3 Protocol Data Link Layer Frame Structure [18] The header section consists of the start bits, which is a fixed sequence to indicate the start of the frame. This format is observed by the receiver and hence starts processing the new packet. It consists of a two byte value 0x0564. Then it consists of the length field which gives the number of bytes in the rest of the frame other than the CRC. The functions of the link control field are, providing sequencing of frames, control message flow, and also helps determine the function of the frame. The data in the link control field helps to determine if the device is master or outstation, and who initiated the transaction, and provides the logical link between the two devices. It also consists of a 4 bit function code which specifies the purpose of this message. Different set of function codes are used for messages starting from the master and messages starting from the outstation device. Examples of master function codes are reset remote link, reset user process, request link status and test function. Outstation device function codes include positive acknowledgement, message not accepted, status of link and no link service. The Link Control field also contains two flags for communication synchronization and flow control. The

48 16-bit Destination Address in the data link header specifies the intended recipient (which may include a broadcast address of 0xFFFF); the 16-bit Source Address identifies the originator. A 16bit CRC is also included in the header to verify the integrity of the transmission [18]. 4.4.5 DNP3 Protocol Layer Pseudo Transport Layer The functions of the pseudo transport layer are fragmentation and reassembly. This allows the application layer to pick frames of size larger than data link layer can handle. Hence it will break down the application layer frames into multiple frames. In the pseudo transport layer frame structure (Figure 4-5) there are two bytes indicating frame start and end. Each of them is one byte long and called as FIR and FIN flags. It also adds another byte which is the sequence number of the frame. The FIR and FIN flags indicate the first and final frames of a fragmented message, respectively. The Sequence number, which is incremented for each successive frame, is used to reassemble messages for processing by the application layer. The sequencing information also facilitates the detection of dropped frames [18].

Figure 4-5:DNP3 Pseudo-Transport Message Fields [18] 4.4.6 DNP3 Protocol Layer Application Layer The main function of the application layer is that for each of the devices it gives an identity of it being a master or a slave. It gives the formats for the DNP3 request and reply messages. When a request message is sent from the master to the outstation device to carry out a particular task such as colleting some measurements or setting the limits for few devices or synchronizing with the

49 internal clock, the outstation devices carries out that command operation and sends back a reply. The layer also breaks down the message into smaller packets when it exceeds the maximum fragment size which is determined by the size of the receivers buffer. Typical sizes of fragments range from 2048 bytes to 4096 bytes [18]. Figure 4-6 shows the format of the application layer header. The application control field has the same function as that in the pseudo transport layer which gives the first or last segment of a message, sequence number for ordering and reassembly. It has the same functions because these packets are broken into smaller packets in the pseudo transport layer. There is another field which asks for the receipt of a reply for a particular request. The function code field gives the information of what the purpose of the message was. This is present in both the request messages and reply messages but the functions codes used are different since the functionalities are different. There are a total of 23 defined function codes for request messages. They can be classified into following categories transfer functions, control functions, freeze functions, application control functions, configuration functions, time synchronization functions. The categories for reply messages are confirmation, response, and unsolicited response. There are two byte internal indicators whose functions are to specify timing synchronization, device restart, function code not implemented or requested objects unknown. Following the header in a DNP3 application layer message are data objects that convey encoded representations of data. There are a number of data objects defined so that they can interface with various types of systems and communicate with different types of variables like binary input, binary output, analog input, and analog output [18].

50

Figure 4-6:DNP3 Application Message [18]

4.5 DNP3 Protocol Vulnerabilities And Attacks An attack on DNP3 takes place either by exploiting the specifications, vendor implementations or weaknesses in the infrastructure using DNP3. Vendor implementations are exploited by attacking the configurations errors in the system. Infrastructure attacks are discussed in chapter two which exploit the loop holes in the policies and platform. Attacks on the protocol specifications are more relevant with the communication architecture and DNP3 structure and will be discussed here. DNP3 was not designed keeping security in mind. Rather, the focus was on bringing reliable communication between the two end points. We will do a detailed analysis of the protocol including where the vulnerabilities are present and how they can be attacked. It can be seen that attacks can take place on three targets i.e. master, remote stations and communication path. Hence the attacks can be done by intercepting, interrupting, modifying or fabricating the targets [18]. Figure 4-7 illustrates the various threat categories.

51

Figure 4-7: Threat Categories For DNP3 [18] DNP3 messages do not implement any kind of protection measures like authorization, authentication or encryption and hence are very vulnerable. Exploiting this loophole can mask the remote station operations completely and also run malicious operations on them. Attacks that exploit these vulnerabilities and affect all the 3 protocol layers are as follows. 1. The attacker captures the message. Analyzes the network topology, device functionality and obtains the memory addresses from the packets. Hence this kind of threat can be put into the interception of data category. It can intercept the master, remote station and network topology data [18]. 2. The attacker studies the DNP3 traffic patterns and sends illicit responses to the master. He can also at the same time fabricate his own messages and send it to the remote station. Threat of this kind falls into a number of categories, i.e. fabrication, modification, and interruption [18].

52 3. Another attack is the man in the middle attack where a device can be put in between the two end stations and this device will read and modify the messages. This attack falls into all the threat categories of interruption, interception, modification and fabrication [18]. These attacks are common to all protocol layers and are hence generic. There are attacks which can be specific to every protocol layer based on exploiting its structure. These attacks impact confidentiality by obtaining configuration data and network topology information. Integrity attacks insert erroneous data or reconfigure outstations. Attacks on availability cause outstation devices to lose key functionality or disrupt communications with the master [18]. Data link layer specific attacks are as follows. 4. The data link layer frame structure has a length field, this length field can be modified and hence will disturb the message processing at the remote station and confuse the whole flow. The threat categories into which these fall are interruption and modification [18]. 5. The data link frame has a field which indicates if the outstation device is busy and the request must be sent in at a later point of time. This flag can be modified and set in such a way that it indicates that the outstation device is free and then the master station will bombard the remote station with multiple requests causing denial of service. If it is set as busy, then the master assumes that the remote station is busy and hence will not send any message and results in remote station being idle. This also a type of denial of service [18]. 6. The function code 01 can be used to reset the user process. This restarts the remote station and makes it unavailable for a period of time. After restart it might also restore it

53 to an inconsistent state. This attack mainly falls into threat categories of interruption and modification [18]. 7. The function code 14 or 15 cause can be used by attacker to the master to understand that either the service is unavailable or not implemented in the system. Hence there are not requests sent out to this target device and so results in unavailability of the system [18]. 8. The destination address of the packet can be altered so that the packet is either redirected or is lost. If the packet reaches another system then it will be an erroneous request and gives wrong results. If the address is changed to a broadcast address then it will reach all the systems and hence cause a complete failure of the system which can be catastrophic. Threat categories of this kind of attack are modification, fabrication, interruption [18]. Pseudo transport layer specific attacks are as follows. 9. The attacks that target this layer are only by modifying the flag fields and the sequence number. Modifying the flag fields is basically interrupting the fragmented message. The FIR flag indicates the start of the sequence of fragmented messages, so if a packet is fabricated with another FIR flag and introduced in the flow then it will disturb the whole sequence and will cause these packets to be dropped. If a message with FIN flag is fabricated and introduced that will be the end of message and will terminate the process, resulting in an incomplete message [18]. 10. The transport of packets follow a sequence and this is tracked with the sequence number. If a packet is obtained and the sequence number can be read. Since sequence number is a simple increment, a message can be fabricated with the next sequence number and injected into the flow. This message might cause processing errors at the master or

54 outstation. Threat categories into which this vulnerabilities fall are interruption, modification and fabrication [18]. Application layer specific attacks are as follows. 11. Function code 02 which is write data into the target outstation device is fabricated and sent. This will write data and corrupt the system. It could cause complete downfall of the memory of the remote station since it contains erroneous data. Threat categories are interruption and modification [18]. 12. A message with function code 9 or 10 is sent which clears all the data in the remote station. This can cause loss of critical data, malfunction or crashing of the system. The message with function code 10 is hard to detect because it does not require an acknowledgement [18]. 13. A data packet with function code 15 can be sent which reinitializes all the data in the remote station memory and hence bring the system to an inconsistent state. This would result in a dysfunctional system and hence cause problems. Threat categories into which this attack falls are interruption and modification [18]. 14. A data packet could be sent with function code 18 and hence terminates the functions on the remote station. This makes the system more unresponsive and hence denial of service [18]. 15. There is a two byte field in the application layer packet which is called as internal indicators. When fifth bit in the second byte of the IIN set, which indicates that the configuration file of the targeted outstation is corrupted. This will cause the master to make a new configuration file and then send it again to the remote station. This

55 configuration file can be intercepted and modified. The corrupted file can be uploaded into the target which will make it function incorrectly [18]. The above 15 attacks have very severe impacts on the system. The attacks result in denial of service, insertion of erroneous data affects integrity of the system. Most alarming attacks are those which spoof the master and seize partial or complete control of the master station and hence can cause a complete havoc. Confidentiality of the data is lost when device configuration is obtained by the attacker. The attacker could also trip a circuit breaker in the remote station without its awareness in master station and could cause serious problems if the alarm doesnt go on [18]. 4.6 Countermeasures For Enhancing DNP3 Security In order to combat the above attacks there must be solutions developed which make it more usable and hence provides reliability of data transmitted as well as protected data. In this section we discuss the various solutions that have been proposed [16] [19] [20] and how they overcome the vulnerabilities in the system. The Security approaches are divided into three categories: 1) Solutions that wrap the DNP3 protocols without making changes to the protocols, 2) Solutions that alter the DNP3 protocols fundamentally, and 3) Enhancements to the DNP3 application. The solutions that wrap the protocols include SSL/TLS and IPSec, which would provide a quick and low-cost security enhancement. The solutions that would require altering the DNP3 protocols tend to be more time-consuming to implement and expensive but provide better end-to-end security, (more application specific security). 4.6.1 Solutions That Wrap The DNP3 Protocols Without Making Changes To The Protocols

56 4.6.1.1 SSL/TLS Solution Secure Sockets Layer (SSL) / Transport Layer Security (TLS) solution has been used over the internet to provide secure communication over TCP/IP. It provides mutual authentication between the two end points and also preserves the integrity of the data by using digital signatures and privacy via encryption. They prevent man in middle attacks and replay attacks. Now by wrapping DNP3 with SSL/TLS have some advantages like it provides complete security at the protocol level implementation, its a fast, effective and straight forward implementation, and also it is security standard for communication protocols. They have some limitations like they can run on reliable TCP infrastructure, has some performance costs added, cannot provide non-repudiation service, only channel security, rely completely on encryption and signature algorithms and does not provide end to end security. End to end security is not provided because there a number of protocol layers before the SSL/TLS layer. These limitations can hence allow attack based out of traffic analysis or cannot prevent connection reset since its a very lower level protocol implementation [19]. In order to exploit its security advantages, the implementation can be done using Open SSL technique. Open SSL is non-proprietary and open to public and is available free of charge. Because it is used by a set of heterogeneous customers, if vulnerabilities are found then it can be easily extended onto SCADA architecture as well. The only disadvantage is since it does not provide accountability, malicious code can be easily added. Figure 4-8 gives the protocol stack where this solution [19].

Figure 4-8: Protocol Stack (Gray-background protocols are secured alternatives) [19]

57

4.6.1.2 IPSec (secure IP) Solution Instead of providing security at the TCP level, security can be provided at the IP level using IPSec solution [19]. Since this is placed at a lower level in the stack, it not only protects the IP traffic but in turn protects the TCP traffic as well (See figure 4-8). TCP solution of SSL/TLS could not protect from denial of service or connection reset attack since it was placed at a layer above TCP. But the IP Sec solution prevents entry of arbitrary packets and as well as connection reset because connection is done after it is inside the secured network layer. IPSec provides security for all the traffic since it is placed at the lowest level. This solution has some limitations like it is more sensitive to interference by intermediate devices in the communication path, it is less flexible in terms of security provided since it does not provide application specific security but just encrypts every packet and sends it irrespective of its application [19]. 4.6.2 Enhancements To DNP3 Applications The SSL/TLS solution and IPSec solution lack in providing end to end security. Therefore cryptographic techniques can be used in order to provide this level of security. DNP3 user group had researched on two cryptographic techniques and tested it on a prototype which is presented here [16]. 1. Authentication Octets: This is a digital signature based algorithm. Additional bytes are added to the packets which flow from the master to the remote station called as authentication octets. The purpose of adding these bytes is to authenticate the source. Figure 4-9 gives the schematic of how this algorithm is implemented. Authentication octets that are appended to the message is encrypted using the masters private key. Since the whole message is not encrypted, processing power is saved. The private public keys distribution is this algorithm is assumed to have been stored locally and hence there is no

58 need for certificate authority. The message is also time stamped to avoid replay attacks. The RTU verifies with that the time of reception does not vary form the time of transmission beyond a specified range. At RTU the authentication objects is decrypted with the public key and compares it with the hash digest calculated by the separately by the remote station. If matched the data is unmodified during transit. The decryption technique makes sure that the message is from an authentic source. But this method does not protect from eavesdropping. But in SCADA network the requirement of having better authentication takes priority to eavesdropping [16].

Figure 4-9:Authentication Using Authentication Octets [16] 2. Authentication via challenge response: In order to overcome man in the middle attack, master and remote station use challenge and response cryptography. In this technique both the devices have a shared key. Device which starts communication initiates a challenge to authenticate the other device. A challenge consists of a random number generated at the MTU and sent to the RTU. The RTU uses this random number and

59 encrypts it with the shared key. The result message is sent to the MTU. The MTU decrypts using the shared key and checks if the decrypted result is same as the random number it originally generated. If it matches then RTU authenticated itself to the MTU else MTU terminates the connection. In order to verify authenticity after connection is established, e.g. during times when it receives a critical command for shut down or when values are out of typical range then RTU can again send the challenge to MTU [16]. The above two solutions were implemented and tested[16] on a testbed at the University of Louisville; the testbed consisted of one master and 5 remote stations. 4 of the remote stations were connected to RTU through Ethernet while the 5th station was connected wirelessly. Snort intrusion detection sensors analyze the communication to extract relevant information to alert the administrator of unauthorized intrusions. The results showed in the table 4-2. Though authentication octets and challenge response takes comparatively more time they also provide enhance security features. Total communication time (in milliseconds) No Security 325 With SSL/TLS 373 With authentication Octets (software 2146 encryption) With authentication Octets (Hardware 764 encryption) Challenge response 446 Table 4-1: Comparison Of Security Approaches

60 4.6.3 Secure DNP3 DNP user group started working on the Secure DNP3 from 2002. Secure DNP3 adds authentication and integrity protection to the existing DNP3 protocol [21] [22]. It modifies the application layer protocol and is bidirectional. Because of these features it can be implemented on any kind of communication medium like TCP/IP, serial links etc. This protocol defines 4 scenarios when authentication is performed. 1. Session initialization: When a session is started, both the end stations are authenticated to prevent spoofing, replay attacks. Unique session key is generated and exchanged using the pre-shared keys [21]. 2. Periodic Authentication: The master and remote stations periodically verify each others identity and authenticate each other in a minimum time interval of 20 minutes and a maximum of 60 minutes. A new unique session key is generated and exchanged while performing periodic updates [21]. 3. Requests with Critical Function Codes: Because attackers generally use the critical functions codes to bring down the system. Authentication mechanisms are used before responding to critical functions [21]. There are two modes or ways of authentication [22]. These are: Challenge-Response Mode Aggressive Mode Challenge Response Mode: This method of authentication is same as authentication via challenge response discussed in section 4.6.3. The figure 4-10 below gives the schematic of this method. The figure describes the action taken by the remote station when a message with critical function

61 code is sent. Before processing the request it will first pose a challenge to the MTU to authenticate itself. Once that is successful it will process the request [22].

Figure 4-10:Message Sequence In Challenge-Response Mode [22] Aggressive mode: There are a number of steps in the above method in order to authenticate and hence is time consuming. Another method is the aggressive method in which the along with the critical function code the random number is also attached and sent to the destination for authentication. The destination does the same process as above and authenticates itself thereby saving time. There is a risk of replay attacks but this can be eliminated if external replay protection is provided [22]. The schematic of this algorithm is shown in figure 4-11 below.

Figure 4-11: Message Flow In Aggressive Mode [22]

62 One of the key steps in the above two methods is the sharing of preliminary session key. Secure DNP3 defines a two ways to do it i.e. manual distribution and using the generating fresh session keys periodically over the entire session. There is a requirement for a set of new function codes to be defined in order to support the above two methods [22]. These are listed below. Function Code 32 33 34 131 132 Type of Function Authentication Request Authentication Reply Authentication Error Authentication Challenge Unsolicited Authentication Challenge

Table 4-2: New Functions Codes Introduced To Support The Secure DNP3 Protocol 4.6.4 Distributed Network Protocol Version 3 Security (DNPSec) Framework This method of securing DNP3 makes some modifications to the protocol structure. Also the key exchange in this frame work is done during the installation and connection setup between master and remote station. The various functionalities that this framework provides are verification of the origin of the frame, assurance that the frame is not modified in that path of transit, replay protection, and protection from eavesdropping by encryption. The 32 CRC bytes (282 bytes of data section with CRC minus 250 bytes of plain data) used in pseudo transport layer are redefined in this framework [20]. The figure 4-12 below shows the new frame format for DNPSec [20].

63

Figure 4-12: DNPSec Protocol Structure [20] The protocol structure has a new header which is 4 bytes long. It contains the destination address, MH flag bit which indicates if the packet is from primary host or from the secondary host, the SK flag bit indicates if its new session key for the destination or it has to decrypt with the old session key and has another 14 bits which are reserved [20]. The sequence number indicates the order of the message. It increments with every packet the master sends and cycles back at 2^32-1. When a new session key needs to be established, the present session must be terminated and a new frame with sequence number 0 and new session key must be sent. DNPSec maintains a session key life time period to keep track of the life span of a particular session key [20]. The original link header and payload is protected by encryption (excluding the CRC). It is composed of 264 bytes field containing, 8 link protocol data unit header bytes, 250 Transport Protocol Data Unit bytes, and 6 padding dummy bytes [20]. The authentication data field contains the integrity check value (ICV). This value is calculated with the sequence number field, original LH field and payload data fields. The function of this

64 field is to provide integrity services and is done by using message authentication algorithm such as, HMAC-MD5-96 or HMAC-SHA-1-96. The steps for evaluation and comparison must be given in the integrity algorithm specification [20]. Key management operations take place at 3 specific scenarios. First when the session is being established, second when the timeout has taken place and third when new session key is generated and sequence number is restarted. The master maintains a database which is secure with all the shared keys. There are 4 fields in the database. Destination address, session key, time duration for which the key needs to be alive and the key sequence number. At the destination, it has to maintain two keys; one for the primary host and another for the secondary host [20]. They key management is showed in the figure 4-13.

Figure 4-13: DNPSec Request/Response Link Communications [20]

65 4.7 Comparison Of DNP3 Countermeasures SCADA/DNP3 Security Solutions Wrapping DNP3 frame with SSL/TLS Advantages The IEC Technical Committee has accepted SSL/TLS as part of a security standard for their communication protocol Freely available for all common OS Relatively mature Disadvantages Run only on a reliable transport protocol (TCP and not for UDP) High performance cost No non-repudiation services Cant protect data before it is sent or after it arrives its destination Implementation of the protocol required understanding of the application, OS, and its specific system calls. CA are rather expensive and not really compatible with each other Very complex and hard to implement Higher performance cost All devices shall support TCP and UDP communications on port number 20000 Required some modification to the DNP3 Data Link Layer Theoretical approach, needs to proof the concept (in going work)

Wrapping DNP3 frame with IPSec

DNPSec

Protection against DOS Implemented by Operating Systems, Routers, etc. Transparent to applications (below transport layer) No need to upgrade applications End-to-End security at the application level to support any communication link Protocol is simple eliminating the complexity of the key exchange and management issues

66 Implement it once for all communication networks

67

Chapter 5

MODBUS PROTOCOL VULNERABILITIES AND COUNTERMEASURES 5.1 Introduction To Modbus Protocol The Modbus protocol was developed specifically for SCADA and has become the de facto industrial standard. Many vendors use this protocol and develop systems and produce equipment [23]. The figure 5-1 below gives the Modbus protocol stack in comparison with the 7 layers of OSI Model.

Figure 5-1: Modbus Protocol And ISO/OSI Model Comparison [23] MODBUS is an application layer messaging protocol for client/server communication between devices connected on different types of buses or networks [23]. It is currently implemented using: TCP/IP over Ethernet. Asynchronous serial transmission over a variety of media (wire: EIA/TIA-232-E, EIA422, EIA/TIA-485-A; fiber, radio, etc.) MODBUS PLUS, a high speed token passing network.

68

Figure 5-2: Modbus Communication Stack [23] Some features of Modbus protocol dont change like the frame structure, exception responses etc. but it can be used over any type of communication medium. This protocol works on the master slave principle where in a request is sent to a particular remote station and a response to that will be sent back. If it is of broadcast type then no response is received. Data can be exchanged in two transmission modes i.e. ASCII readable, used e.g. for testing, RTU compact and faster; used for normal operation (hex). The RTU mode is most preferred since it has shorter frames and also has parity check, redundancy check or CRC. While the ASCII mode has longer messages and hence slows down the system. The Modbus protocol also has two variants Modbus serial and Modbus TCP. Serial protocol is one which works in ASCII and RTU transmission modes while Modbus TCP works on IP interconnected networks. The TCP variant allows a master to have multiple outstanding transactions and the remote station to engage in parallel execution of transactions from multiple hosts [23]. The main functions of Modbus protocol are as follows. Coil control commands for reading and setting a single coil or a group of coils Input control commands for reading input status of a group of inputs

69 Register control commands for reading and setting one or more holding registers Diagnostics test and report functions Program functions Polling control functions Reset Vulnerabilities in this protocol can be exploited to such a great extent that it can affect the remote station devices to even spoofing the master and taking over the control. These vulnerabilities are discussed below [23]. 5.2 Protocol Specifics The message format for the Modbus protocol [17] is as shown in figure 5-3.

Figure 5-3: Modbus Protocol Frame Format [17] The first field is the single byte field which stores the address. In the request frame it has the destination address. In response frame it has the masters address. The Modbus protocol can have a maximum of 248 slaves that it can service but in the real world every master has a maximum of 2-3 slaves. The second byte indicates the function needed to be carried out at the destination. In a request frame this byte identifies the function that the target is to perform. If the request was completed successfully at the target station then the function field will be echoed back else if it is unsuccessful it will be sent with the most significant bit set thus signaling an exception response. The third field is the data field and varies in length based on the function code in the frame. The

70 last two bytes are the CRC field for error check in the frame. The second byte in the frame is the function field which has a number of function codes [17]. Table 5-1 below gives the list of function codes and their meaning.

Table 5-1: Functions Codes In A Modbus Protocol Frame. [23] Exception responses are generated when an illegal request is obtained at the target station. The fields of an exception response indicate the address of the responding controller, function number with MSB set to 1, appropriate exception function code, CRC-16 checksum [23].

Table 5-2: Exceptions Functions Codes For Modbus Protocol. [23]

71 5.3 Modbus Serial Protocol Modbus Serial protocol messages are transmitted between a master and slave devices over serial lines using the ASCII or RTU transmission modes [24].

Figure 5-4: Modbus Serial Architecture [24] The message have 3 components as shown in figure 5-4, slave address, Modbus application protocol data unit and the error checking field. The address field is the destination address based on if it a request or a reply. A broadcast message has address 0 and hence does not indicate any particular slave address. The PDU has two subfields, the function code and the function parameters. The function parameters field contains data pertaining to functions invocation (request messages) or functions results (response messages). Modbus functions codes can be classified into 3 categories, public codes, user-defined codes, reserved codes. Public codes are the basic functions of read and write. Reserved codes are used for compatibility with the legacy system and user-defined are vendor specific codes [24].

72 5.4 Modbus TCP protocol This protocol works on both the LAN based network as well as IP based network [24]. Figure 5-5 below shows a master connected to multiple slaves via an IP network. The master is connected to the control centers database and historians. In the Modbus TCP protocol, Slave is designated to be the server while the master is designated to be the client since the slave does only passive operations. Multiple outstanding transactions can be present on the channel established [24].

Figure 5-5: Modbus TCP Architecture [24] Since the Modbus TCP protocol encapsulates its messages in TCP packets, TCP PDU includes the Modbus application protocol (MBAP) in addition to the Modbus application PDU used in the serial protocol. The MBAP header has four fields; transaction identifier, protocol identifier, length and unit identifier. Pair matching of requests and replies is done by the transaction identifier while the protocol identifier indicates the application protocol encapsulated by the MBAP header (zero for Modbus). Unit identifier indicates the slave associated with the

73 transaction and is used only for legacy systems. The length field gives the number of bytes remaining in the rest of the data packet [24]. 5.5 Vulnerabilities And Attacks In Modbus Protocol Attacks on Modbus system and network can exploit protocol specifications, vendor implementations of Modbus protocol and infrastructure. Similar to the DNP3 protocol, threats can be divided into 4 categories i.e. interruption, interception, modification and fabrication. In Modbus serial protocol attacks can be done on the master, slave and the serial communication network. In Modbus TCP, attacks can be done on the IP network as well as the master and slave devices [24]. These attacks affect confidentiality of the information transmitted because the message contents will be accessed. It affects the availability of the system since it can result in denial of service. It affects the integrity of the data since the messages can be fabricated by a middle man. The attacks can be grouped into 3 categories i.e. attacks unique to Modbus serial protocol, Modbus TCP protocol and attacks common to both serial and TCP protocols [24]. 5.5.1 Serial Only Attacks Attacks are carried out on the Modbus protocol structure where a function code within the packet is modified and hence the result of acts corrupts the end system [24],[25]. When the function code 08 and sub function code 0A is sent to the target device, it clears the counters and alters the diagnostic register values. This changes the configuration of the field device and impacts the diagnostic operations. The threat category of this kind of attack is modification of field device [25]. When the function code remains same i.e. 08 and sub function code changes to 01 the end device restarts and executes its power up test. This message causes the field device to

74 change the configuration settings since they will not be restored to the original but to the default and also rendered inoperable since it is asked to restart repeatedly. Threat category into which this falls in is interruption and modification [25]. Function code of 17 when sent to the field device it returns the field device status information which can be sniffed and studied to carry out more attacks. This impacts the confidentiality of the system [25]. 5.5.2 Serial And TCP Attacks This category of attacks might disable the whole communication path by blocking Modbus messages. There are some more serious attacks which can take over the control from the master station and can completely disrupt the operation of the system [24] [25] [26]. Messages can be broadcasted from the middle man to the field devices and the attack can go undetected since there are no reply messages for broadcast requests. This can bring down the whole set of remote stations and can hamper the whole operation. Threat category of this attack is interruption and modification [26]. Messages flowing between the master and field devices can be stored and replayed. In this way the middle man will confuse the end devices and spoil the flow of operations. Threat categories into which this attack belongs to is interruption, modification, and fabrication [26]. The middle man can randomly generate addresses and send messages to the field devices to obtain its configuration and status information. This scanning attack causes loss of confidentiality of information. Threat categories to which this attack belongs is interception [26].

75 Another attack is delaying the flow of information to the master from the slave so that it receives out of data messages and hence discards it. This attacks threatens the system by interrupting and modifying the messages [26]. 5.5.3 TCP Only Attacks The attacks listed here are specific to Modbus TCP [24],[26] This kind of attack affects the property of framed messages in TCP. Multiple Modbus messages cannot be placed in a single TCP packet. Hence the messages will be fragmented by the master and sent to the remote station. This attack will inject improperly fragmented messages or modifies the messages and sends them. Threat category into which this falls into is interruption [26]. An illegal packet with the final frame bit set will be sent which will close the TCP connection. This kind of packet can be sent following any Modbus message and hence assume end of transaction. Threat category of this attack is interruption [26]. Bombarding the field device or the master with transactions which belong to the higher priority pool will cause denial of service. There are multiple pool categories in TCP protocol since there can be multiple transactions outstanding. Hence if the pool is flooded with illicit packets then it will not accept legitimate packets and stop the service. This threat takes place because of the interruption of the devices [26]. Impacts of the above attacks are loss of confidentiality occurs when an attack reveals information about field devices, network topology or messages. Loss of availability occurs when operators are unable to obtain accurate and timely information about a process either due to denial of service or data modification; attacks interrupt field devices, network connectivity or messages, as well as

76 those that modify the master or involve the fabrication of field devices. The worst category, loss of integrity, occurs when an attacker spoofs the master and/or seizes control of the process; attacks modify field devices, network paths or messages as well as those that result in the fabrication of the master, network paths or messages [26]. 5.6 Countermeasures For Enhancing Modbus Security This section talks about the countermeasures that can be applied on Modbus protocol to provide security. The common security threats among the ones listed above are as follows. When the master sends a message to the field device, it needs to first authenticate the device from which it obtained the packet and then process the packet. Modbus protocol lacks this ability and hence middle man attacks can easily take place in Modbus. This middle man can bombard the slave units with messages and cause denial of service to the original legal master. The middle man can also carry out replay attacks i.e. capture the packets being sent and reuse them by fabricating it to do some other functions. The best way to solve this issue is by repairing the Modbus protocol at its source. But this will require architecture modifications which are significant changes. Another way to approach this issue is by introducing smaller security mechanisms to protect against attacks. 5.6.1 Secure Modbus Protocol A secure Modbus protocol must preserve confidentiality, integrity of the message. In order to satisfy these requirements unauthorized entity must not be allowed to access or modify the contents of the message. Also there should not be a middle man who can emulate the master or can negate a performed action [27]. In the original protocol, there is protocol data unit which is independent of the communication layer. When the Modbus messages are mapped to the structure of the bus or network it introduces additional fields. In the Modbus TCP protocol frame structure there is MBAP header where target

77 address field in serial message packet is replaced by one-byte Unit Identifier in the MBAP Header. Error checking field is removed and length information is added. The length information is stored so that the receiving field device can identify the message boundaries when messages are broken down into packets. The Modbus packet can have variable sized or fixed size data fields. To identify if the entire message is received, in fixed size packets the information is inherent with the function codes. For function codes with variable data sizes there is a byte count field which transfers this information [27]. The secure architecture that is covered below is intended to satisfy the following security requirements [27]. 1. Integrity of the data is maintained by using a secure hash algorithm. SHA2 is used to generate the digest and transmitted along with the packet. The integrity is verified by computing the digest with the same algorithm and comparing it [27]. 2. The above scheme does not prevent a middle man to create an own packet and send it to the field device. To avoid this kind of attack it is important to authenticate the master. Therefore a signature based scheme should be used. In this secure Modbus architecture RSA based signature algorithm is used. The master signs the digest with the private key and the field end device will use the public key to release the digest and check on authenticity. With this algorithm even availability will be fulfilled since only the owner with the specific private key can send the packet [27]. 3. The above two schemes dont provide replay protection. Reason being the packet can be sniffed and obtained by a middle man. Hence a time stamp scheme is used which will help identify if the packet was sniffed or is the original packet [27]. The packet structure incorporating time stamp is shown below

78

Figure 5-6: Secure Modbus Application Data Unit [27] The time stamp is applied by the master device creating the packet and appended to the packet and sent to the destination. The destination checks this packet along with a pre-defined and configured time interval. If the packet has reached within a time limit then it will be a valid packet. One way of implementing this is by using the network time protocol (NTP). The NTP provides high precision for time interval by synchronizing the clocks of computer systems over packet switched, variable- latency data networks. NTP requires additional equipment to be installed which is the NTP time server. This server provides reliable clock for all communicating devices [27]. Since Modbus is a protocol which was developed for old legacy systems in SCADA, applying the above stated extensions to this protocol requires more computing power at master and slave devices. In order to retrofit with the legacy systems a Modbus secure gateway [27] was implemented which carries out the above procedures to make the packet transmission more secure. Figure 5-7 below presents a schematic diagram of the Modbus Secure Gateway.

79

Figure 5-7: Modbus Secure Gateway [27] This gateway is placed between the Modbus master and provides a multi-homed gateway with a TCP/IP interface connected on the master side and a set of point-to-point TCP or serial links connected to legacy slaves [27]. Operation of the gateway is as follows. When it receives a packet from the master side which flows to the slave, it carries out the following steps. 1. It discards any unauthenticated packets 2. Extracts the Modbus packet by implementing applying the SHA algorithm and checking it the packet has maintained its integrity. 3. It then forwards the packet to the particular slave destination When it receives a packet from the slave device flowing towards the master it carries out the following steps [27] 1. It creates the secure Modbus packet from the original Modbus packet

80 2. It signs the packet digest with its private key. 3. Sends the packet over to the master. The steps to be followed when sending and verifying a secure Modbus packet is as follows [27] 1. The master creates the packet with function code required to carry out that command execution and the slave address. It also time stamps it. (Mreq) 2. Then it computes the digest, encrypts it with the private key(pKm) and sends the request to the slave or the gateway C = [TS|Modbus]{SHA2(TS|Modbus)}pKm 3. The gateway or slave verifies the packet by using public key(sKm) Mreq = {C}sKm After verifying the benignity of the packet the slave address is read from the MBAP header and sent to the appropriate address. Same procedure is followed when the flow of packets take place other way round. Implementation of the above architecture can be done in the following manner. Communication layer between the OS and the Secure Modbus device was implemented using sockets. The TCP/IP library only provides stream sockets using TCP and a connection-based communication service. Figure 5-8 below presents the architecture of the Secure Modbus module that implements socket-based communications. The TCP/IP level manages the establishment and termination of connections, and the data flow in an established connection.

81

Figure 5-8: Secure Modbus Module [27] The various components in the above module are TCP stream builder which sets up the connection parameters. Keep-alive time period are used to detect inactivity of systems and hence if there is a small keep-alive time when it will close the connection very fast. TCP-no delay is used for real time systems. The time out of the function can be modified according to the requirements of the system [27]. The Modbus has 4 main components. Modbus stream builder extracts the secure Modbus packet contained in the TCP packet and sends it to the RSA unit. After verifying the authenticity it will send the packet to the SHA-2 unit which will verify the integrity of the data. Then it will send the packet to the time stamp analyzer to verify its freshness. The RSA unit does the encryption or decryption using the respective private or public keys. SHA-2 will validate the hash values. Modbus ADU Builder/Reader constructs and manages the secure Modbus application data unit. Time stamp analyzer verifies the validity using NTP service [27]. The Secure Modbus protocol was tested using an experimental power plant testbed. Figure 5-9 below shows the components of the SCADA testbed [27].

82

Figure 5-9: SCADA Test Bed Developed To Verify Secure Modbus Protocol [27] The components in the SCADA testbed are the field network which is a network of al the actuators and the sensors. The process network is used to plant operations, to send commands to the field devices etc. Observer network is one which collects all the sensory data. Horizontal services network supports as back up and disaster recovery. Intranet is the network within the control center. Data exchange network allows data to be shared from the control center process network to the corporate intranet [27]. Two experiments were conducted to evaluate the performance of the Secure Modbus protocol. The first experiment examined the latency resulting from the use of the SHA2 hashing and RSAbased signature schemes. The second examined the increased size of Secure Modbus packets for various function codes [27]. Table 5-3 compares the communication latency for Modbus TCP and Secure Modbus. A negligible difference is latency is observed for both sets of scan rate and connection time out. Table 5-4 compares the packet sizes. Secure Modbus packets are larger than the corresponding

83 Modbus TCP packets. But this overhead is matched with communication networks with higher communication bandwidth. So they equalize each other.

Table 5-3: Comparison Of Communication Latency [27]

Table 5-4: Comparison Of Packet Size [27] The above secure Modbus gateway architecture provides a secure environment without significant overhead. But it does not allow a middle man attack which seizes control of a master and sends malicious messages to the Modbus unit. To address this attack scenario, a dedicated filtering unit will identify suspect Modbus messages. Below is the description of the development of the filtering unit and its features [27]. Here below is the description of the secure survivable SCADA architecture to combat attacks wherein attacker is able to send a command packet to a slave. A command packet is illicit and a firewall will allow it to flow through. Hence when the packet is sent from an illicit source it will

84 still flow through since it is a command packet. Therefore a solution to combat this is presented below [27]. 1. The master composes the packet normally (Mreq) and then the authenticity and integrity of the packet is maintained by using the RSA and SHA algorithms. 2. This packet is then sent to the filtering unit which validates the packet using the masters public key. Mreq = Dec {C, PKm} 3. The filtering unit analyzes the Modbus packet command and destination. If the combination is unusual and dangerous to the slave unit then it will add it into the dedicated stack of malformed packets. 4. If it is an untouched packet then it will authenticate the message with its own private key pKf and send it to the slave unit. MrF = Enc {Mr, pKf} 5. The slave (PLC) validates the filtered Modbus request (MrF) by the Filtering Units Public Key (PKf ) Mr = Dec {MrF,PKf } 6. The slave validates the Modbus request (Mreq) with the Masters Public Key and executes the command Mreq = Dec {Mr,PKm} But there is another security hole in this architecture. If the attacker takes control over both the filtering unit as well as the master then it can reach the slave unit. To avoid this scenario a concept of K-resilience is adopted [28]. This means a mesh of N filtering units which a stronger operating system is deployed between the slave and master unit. The algorithm works in the

85 following manner, when the packet from the master reaches the filtering units, it is sent to at least P filtering units. P should be greater than K. Each filtering unit verifies the authenticity and sends it to the slave unit. If the slave unit at least obtains K number of packets of the same request then it will process the command. Now the attacker has to corrupt P filtering units to reach the slave [28]. Figure 5-10 below shows in detail the proposed architecture.

Figure 5-10: High Level Secure Survivable Architecture [28] The proposed architecture will provide security is various areas. Does not allow corrupted packet command execution. Because of the signatures used it will provide data integrity. Prevent replay attacks with time stamps. Prevents a malicious master to send corrupted packets because of the filters used and also prevents the risk of the attacker reaching the slave through its K- resilience architecture [28]. The implementation of the prototype is as discussed below. Because of the physical architecture of SCADA the key exchange can be done manually to each system in a secure manner. There is no need for automatic key exchange. The RSA scheme was used for the signature based algorithm. Hence the signature will be applied on the Modbus packet and then encapsulated in the TCP packet. The basic communication layer between the operating system and the Modbus

86 device is guaranteed by a socket, which manage the keep-alive messages, the TCPNODELAY and the TIME-OUT connections [28]. Components in the master slave unit should be designed for both functionalities of creating a Modbus packet and interpreting the received packet. The Modbus Stream adapter extracts the Modbus packet in the TCP packet and then authenticates it using RSA and checks its time stamp with the TS analyzer. The Modbus ADU Builder/Reader will check if the packet has a valid command to a valid address. It uses the message stack to store all the incoming messages and validate from the intrusion detection system [28]. Components of the filtering unit are showed in the figure 5-11 below.

Figure 5-11: Filtering Unit Prototype [28] Modbus Module consists of the following units. Rules database has the list of authorized behaviors i.e. the right combination of command and destination. System description database

87 contains description of the system to be analyzed. This database works in sync with the rules database to determine any malicious activity on the process network. The event tracker is used to correlate events and is used in stack architecture. The Modbus analysis engine analysis all the data collected from the above 3 units and identifies malicious behavior. Alert manager notifies about the potential malicious activity [28]. Prototype testing was carried out with the aim of finding the delays introduced by the signature algorithms and the mesh of filtering units. The size of the resulting packets was also analyzed. Tables 5-5 and 5-6 show that the latency and delays introduced are comparatively small.

Table 5-5: Communication Latency With Modbus And Secure Modbus - Master Scan Rate Of 500ms And A Connection Timeout Of 1200ms [28]

Table 5-6: Modbus/TCP And Secure Modbus/TCP Packets Size, Tested With Different Functions [28] The tables 5-7 below lists the differences between FU applied on Modbus and secure Modbus architectures. The filtering units do introduce significant delay but it would be very negligible when compared it with Modbus and secure Modbus. The delay introduce by FU is the same for all slave devices [28].

88

Table 5-7: Communication Latency In The Different Communications Steps [28] To verify the functionality of this system a series of attacks were launched on the above prototype and a SCADA architecture configured with 2 firewalls i.e. classical iptables and a WatchGuard FW. It was observed that the above prototype significantly improved the system [28].

89 Chapter 6 RESEARCH ISSUES There are a number of issues that require research to be carried out. Models for them need to be developed appropriately [29]. Below are some of the issues that need more work. 6.1 Performance Requirements Of SCADA Systems Chapter 4 discussed the various countermeasures that can be used to combat the security issues in the DNP3 protocol. But all these techniques assume that the SCADA end systems have enough resources to execute all the steps. But this is not true because the processing power of SCADA end systems is not high. Hence implementing the techniques such as secure DNP3

authentication, timed network protocol, etc will bring down the performance of the system. This is an important issue, which needs research [29]. 6.2 Authentication And Authorization Of Users At The Field Substations Authentication and authorization of the personnel who work at the substation is an issue that needs research. The aim here is to have only intended users authenticating to assigned devices and only perform the relevant functions to that user. This will prevent insider attack and have a better logging system. The access to the IEDs at the substations must be given to a specific user. Generally, it is given to a number of users having specific role. These systems understand the meaning of role but are not programmed to allow only the user who is assigned to that role. Therefore passwords are shared among multiple maintenance personnel though assignment of roles may be different and hence fail the purpose of having roles. Also since there are so many devices deployed in a substation, the password that is shared may be common among many systems [29]. Sometimes these systems are accessed locally or remotely. Accessing these systems remotely take place over low speed communication lines. Hence carrying out authentication of the user can

90 slow down the whole communication process. Therefore performing an authentication protocol such as RADIUS or LDAP is undesirable. There should be some method implemented which will allow normal system access appropriately during emergency situations [29]. 6.3 Enhancing The Security Of Serial Communication Some legacy systems consist of serial communication links between the control centers and outstation devices. Most commonly used protocols on these serial links are DNP3, modbus protocols. They transmit text in unencrypted format and hence can be easily sniffed. Also solutions to enhance this such as wrapping protocols in IPSEC, SSL\TLS layer will put a load on these low bandwidth communication links a bring down the system speed to a large extent. This will impact the latency and bandwidth of communication and are not good solutions. Research needs to be carried out in order to find a mechanism which balances between bring in encryption and also at the same time do not affect the latency and bandwidth of the system [29]. 6.4 Access Logs For The IEDs In Substations Access to the IEDs at the substations must be logged in order to detect any malicious activity. Even if there are logs that are maintained they will not be communicated to the control center because of the low bandwidth issue. A solution is needed which will allow the access of these logs from remotely for the control center and at the same time not compromise on the bandwidth requirements. The solution should also consider the need of having a more centralized solution even though the substations are distributed in nature [29]. 6.5 Attacks From Which Side Channel Information Can Be Obtained Cryptographic keys embedded into the equipment can be extracted using various attacks schemes described below. Information obtained from these attacks is called side channel information and can facilitate extraction of the entire cryptographic key using this method. By carrying attacks based on timing measurements, power measurements, electromagnetic emission and faulty

91 hardware side channel information can be retrieved. Power analysis attack basically involves in analysis of the power differences in the signal and converting the trace into logical zeroes and ones in order to extract the key. Another attack is tempest attack which work on the principle that electronic devices such as monitors emit electromagnetic radiations during normal use. This can be obtained from a remote location using antennas etc and replay the information thereby attacking privacy. Timings attacks are exploited in a way where timing information is obtained from the way inputs are processed by the system, including cryptographic keys. Even though side channel information does not provide complete information, it provides enough information that can be amplified to analyze and extract keys [29]. 6.6 Timing Information Dependency Time reference is used by many power system models. Currently the advanced systems being built are becoming more dependent on absolute time reference. In order to avoid replay actions for security protocols, which use the time stamp scheme for authentication, it is necessary to have an absolute time reference. Hence it is necessary to ensure that this timing information is not tampered on any devices. An example is when certificates are used to bind an identity to the public keys facilitating digital signatures and data encryption. When these certificates are exchanged, if the receiving ends time reference is tampered then it might reject the certificate because it has expired or hasnt reached at the appropriate time, malicious connections might be set up etc. Timing information is also used in time stamps in logs. These logs are used with multiple other logs from other resources to analyze the sequence of events and find any malicious activity. Hence it is necessary to provide synchronized clocks which are tamper proof [29]. 6.7 Software Patches Update Devices in remote stations like IEDs, PLCs etc are deployed in a distributed and isolated manner. The software and patches update to these devices cannot be done very easily. Its a complex

92 procedure which involves testing on backup systems and then deploying it in the production systems. The electrical sector operates in a slightly different manner that the regular IT systems. First the risk and impact of the vulnerability needs to be determined and based on its priority level the patches need to be deployed. The process of developing this scheme needs to be researched on in more detail so that a structure to this procedure is obtained [29]. 6.8 Intrusion Detection Equipment For The Field Devices And The Control Systems The communication between the master and field devices take place using Modbus or DNP3 protocol. In the legacy systems Modbus has already been deployed. In the newer systems DNP3 protocol is more prominent. There needs to be well developed intrusion detection mechanism which will support both the protocols and also carry out the event detection and analysis. The standard that is being built needs to have good understanding of the operation of the field device, main station and the protocol. With this ability the model can detect malicious commands that come in to disturb the operation of the entire system [29]. 6.9 Authentication Of The Users To Control System Equipment The control center use operating systems such as UNIX or Windows. Standard enterprise solutions of authenticating the user to this equipment are available. But these might need some modifications, after taking into consideration its usage in electrical sector. Access policies such as locking of screen during inactivity, expiring passwords are always not appropriate in equipment in the control center. Therefore it needs to be researched on how new schemes can be developed which fit into the requirements of the control center [29]. 6.10 Legacy Systems With Limited Processing Power And Resources Lifecycle of the equipment in the electrical sector ranges from 20 years to 30 years but security technologies grow at a very rapid rate. Legacy systems are resources limited and it is difficult to add the new security technologies since they are behind in development unlike the IT systems

93 which grow at the same rate as security technologies. Adding these security technologies to this equipment might hinder its performance and might be impractical. It might also be difficult to put in the security functionality just because it does not have the resources to support it. Hence security mechanisms needs to be developed specifically to these legacy systems so that it does not bring down the functionality of the system and also extends to the legacy systems. There needs to be development of a more layered architecture provide a secure system [29]. 6.11 Roles To Be Defined In The Control Center There are a few well defined roles in the control center but with the introduction of various security schemes there might be more number of roles that need to be introduced. These new roles will basically consist of the maintenance and evaluation of security mechanisms introduced into the latest system. Hence there needs to be compilation of all the roles in the control systems and their responsibilities. The access control schemes for each of these roles also need to be defined correctly so that there are no new vulnerabilities introduced into the system [29].

There are lots of areas in the SCADA that need a lot of research on. There is a general idea that when a system fails it is because of the security mechanisms that have been implemented and so they are all disabled. This criterion also needs to considered and models need to be developed effectively [29].

94 Chapter 7 CONCLUSION 7.1 Summary SCADA system used in the power grid has a number of security issues. The aim of this project was to identify these security issues and countermeasures to combat them. Main functions of SCADA are to manage and control the equipments that are responsible for delivering power. Therefore, it consists of automated processes, which help it achieve this functionality. The three main components of SCADA are the master terminal unit, remote terminal unit and the communication channel between them. The master terminal unit is the control center that manages and controls the actions of the remote terminal units. A remote terminal unit consists of field devices that gather information on about the status of the system using sensory equipment and control certain modules of the system using actuators. The communication channel provides the link to share the collected data and at the same time sends the appropriate commands to field devices to carry out its functions. There are a number of vulnerabilities that can be exploited in the master terminal unit and remote terminal unit The policy and procedure vulnerabilities such as inadequate security policy, insecure architecture and design, insufficient guidelines to the personnel about equipment security, few security audits, and lack of disaster recovery plan could cause sever impact on the SCADA architecture. Platform vulnerabilities such as use of standard operating systems with known security issues, password related issues such as usage of shared and unencrypted passwords, access control issues such as lack of defined roles and privileges etc can cause attacker to easily enter the system and disrupt operations. The countermeasures used to overcome the issues stated above are developing structured approach, which have specific functionalities such as, plan, guidance, enforcement and auditing

95 documentation to help SCADA personnel maintain the system in a secure manner. Implementation of strong intrusion detections schemes, which will block any kind of illegal traffic consisting of harmful commands to the system, needs to be developed and deployed in the system. For SCADA system with serial communication links, bump in the wire technology used in yet another security retrofit solution provides secure communication and at the same time lesser processing latency and better bandwidth usage. Two protocols used in the communication channel between the master and remote terminal unit are Distributed Network Protocol (DNP 3.0) and Modbus protocol. Vulnerabilities in the DNP3 protocol layers can be exploited to cause interruption, interception, modification and fabrication of communication between systems. The attacker can capture the message, analyze the traffic pattern, modify parameters such as length field, function code field, destination address, and sequence number field to cause denial of service. There are various techniques that be implemented to avoid these attacks. Wrapping of DNP3 protocol structure in SSL/TLS layer or IPSEC layer will provide protection. However, this approach does not provide secure authentication. Another approach is by carrying out protocol enhancements with authentication octets or via challenge response implementation to provide better authentication. Last approach discussed is the DNPSec framework to bring changes in the protocol packet structure to protect against attacks. On comparing these approaches, DNPSec framework provides good security. However, it is a theoretical idea and should be tested in a real environment. Modbus protocol works on both TCP/IP as well as serial communication link. Ways of attacking the serial communication is by modifying function codes in the protocol to cause harm to the system. Some of the illegal function codes used would clear registers, restart the system and can cause failure of system operation. Middleman attacks such as broadcasting messages, replaying of

96 messages, random address generation, delaying the flow of information can take place. This can hamper the system severely. The TCP packet structure in Modbus protocol can be changed to carry out attacks such as closing the connection, denial of service etc. A secure Modbus protocol can be built by modifying the packet structure. However, to retrofit with the legacy systems, gateways can be introduced which provide integrity and authentication. In order to avoid intermediary attacks a mesh of filtering units can be used with the K-resilience. The countermeasures provide security to a certain extent. There are still some areas which need more research such as an appropriate authentication mechanism that will not utilize excess bandwidth, mechanisms to avoid side channels attacks etc. 7.2 Strengths and Weaknesses This project has a comprehensive list of the potential and current security issues in the SCADA system. Various countermeasure schemes are listed to overcome the security issues. Countermeasures which retrofit into legacy system e.g. YASIR is discussed. Other countermeasures, which can be implemented for both legacy and non-legacy systems such as domain specific IDS, demilitarized zones, are also discussed. The secure Modbus architecture fits into legacy communication systems by using gateways and at the same time provides very secure communication architecture using mesh of filtering units for Modbus protocols. DNPSec framework provides secure communication structure for DNP3 protocols. The advantage of using this scheme is it provides end-to-end security at the application level, and the protocol is simple eliminating the complexity of the key exchange and management issues. Some weaknesses of this project are as discussed below. Implementation of firewalls, electronic perimeter, demilitarized zones and intrusion detection system etc would block illegal traffic from entering the network. These are strong countermeasure schemes, which need to be carefully developed and tested. Various types of firewalls such as packet filtering firewalls, stateful

97 inspection firewalls, and application proxy gateway firewalls are available. In this project, we do not analyze which among the above firewalls can be used at each entry point in the SCADA network. Another protocol used in control systems, is the IEC 870-5-101. Security issues and its countermeasures for this protocol have not been discussed in this project because it is widely used in Europe and not common in North American SCADA systems. 7.3 Future Work The discussed countermeasure solutions such as secure Modbus architecture, DNPSec implementation are theoretical concepts and require implementation in real systems. Intensive testing of these implementations need to be carried out to make sure that the solutions provide all security features as intended. The various authentication schemes discussed in the countermeasures such as authentication octets, challenge response use a considerable amount of the system resources and thereby bring down its performance. Techniques that balance between providing the required security and at the same time do no use much of the system resource requires some work. The nature of SCADA system is that it maintains a connection between the master and remote station for a long period. Hence a tool must be developed which monitors the credentials and trust relationships that was validated at the time of connection. A model needs to be developed in which external users (utilities, enterprise network) who access the system must have some kind of access control capabilities defined. This needs more research in order to prevent illicit access to the system. Since many protocols are dependent on time information, there needs to be a protocol developed which would help following the same absolute time over the entire system. This will help in the time stamp schemes and as well as authentication.

98

REFERENCES [1] Litos Strategic Communication, Smartgrid introduction [Online] Available: http://www.oe.energy.gov/SmartGridIntroduction.htm [2] Edward Chikuni, Department of Electrical Engineering Polytechnic University of Namibia, Namibia, Maxwell Dondo, Defence R&D Ottawa, 2007 Investigating the Security of Electrical Power Systems SCADA. [Online] Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4401531&tag=1 [3] Micrologic System Inc, SCADA primer, [Online]. Available: http://www.micrologic-systems.com/primers/scada.htm [4] Robert F. Dacey, Director, Information Security Issues Oct 2003, CRITICAL INFRASTRUCTURE PROTECTION, Challenges in Securing Control Systems. [Online] Available: http://www.gao.gov/new.items/d04140t.pdf [5] Dr. Patricia A. Ralston, Dr. James H. Graham and Dr. Sandip C. Patel, Dept. of Computer Engineering and Computer Science University of Louisville, July 2006, Literature Review of Security and Risk Assessment of SCADA and DCS Systems. [Online] Available: http://www.cs.louisville.edu/facilities/ISLab/tech%20papers/ISRL-TR-06-01.pdf [6] D. Kilman, J. Stamp, April 2006, Framework for SCADA Security Policy, [Online] Available: http://www.sandia.gov/scada/documents/sand_2005_1002C.pdf [7] D. Mussington, monograph published by RAND, Santa Monica, CA, 2002,Concepts for Enhancing Critical Infrastructure Protection: Relating Y2K to CIP Research and Development, [Online] Available: http://www.rand.org/pubs/monograph_reports/2005/MR1259.pdf [8] K. Stouffer, J. Falco, F. Proctor, Proceedings of the 2004 TAPPI Summit, Atlanta, Georgia, May 2004, 7 The NIST Process Control Security Requirements Forum (PCSRF) and the Future of Industrial Control System Security, [Online] Available: http://www.isd.mel.nist.gov/documents/stouffer/TAPPI.pdf [9] R. Melton, T. Fletcher, M. Earley, April 14, 2004, System Protection Profile -Industrial Control Systems (SPP-ICS) [Online] Available: http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.pdf [10] Keith Stouffer, Joe Falco, Karen Scarfone, NIST Sep 2008, Guide to Industrial Control Systems (ICS) Security [Online] Available: http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf [11] Amanullah, International Islamic University Malaysia, A. Kalam, Victoria University of Technology, member, IEEE, and A. Zayegh, Victoria University of Technology,

99 Australia. Member, IEEE 2005, Network Security Vulnerabilities in SCADA and EMS. [Online] Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1546981&tag=1

[12] Jason Stamp, John Dillinger, and William Young, Networked Systems Survivability and Assurance Department, Jennifer DePoy, Information Operations Red Team & Assessments Department, Sandia National Laboratories Albuquerque, NM 87185-0785, 22 May 2003, Common Vulnerabilities in Critical Infrastructure Control Systems. [Online] Available: http://www.oe.netl.doe.gov/docs/prepare/vulnerabilities.pdf [13] Riptech, January 2001, Understanding SCADA System Security Vulnerabilities, [Online] Available:http://www.omegastar.com/rca/scada/scada.html. [Online] Available: http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf [14] Chee-Wooi Ten, Student Member, IEEE, Iowa State University, Manimaran Govindarasu, Member, IEEE, Iowa State University, and Chen-Ching Liu, Fellow, IEEE, Iowa State University 2007, Cyber security for Electric Power Control and Automation Systems. [Online] Available: http://powercyber.ece.iastate.edu/publications/SMC-conf.pdf [15] Dale Peterson, Director, Network Security Practice Digital Bond, Inc, Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks. [Online] Available: http://www.isa.org/filestore/Division_TechPapers/GlassCeramics/TP04AUTOW046.pdf

[16] Sandip Patel, Information Science & Systems at Morgan State University, Baltimore, Ganesh D. Bhatt, Department of Information Science & Systems at Morgan State University, James H. Graham, Electrical and Computer Engineering at the University of Louisville, July 2009, Improving the Cyber Security of SCADA Communication Networks. [Online] Available: http://portal.acm.org/citation.cfm?id=1538788.1538820 [17] Gordon Clarke, Deon Reynders, Edwin Wright, Practical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems British Library Cataloguing in Publication Data, ISBN 07506 7995. [Online] Available: http://www.sensorsportal.com/HTML/BOOKSTORE/SCADA_Protocols.htm [18] Samuel East, Jonathan Butts, Mauricio Papa and Sujeet Shenoi, A Taxonomy of attacks on the DNP3 protocol. [Online] Available: http://www.springerlink.com/content/k48k4733v0367120 [19] James H. Graham, Sandip C. Patel, Dept. of Computer Engineering and Computer Science University of Louisville, September 2004, Security Considerations in SCADA Communication Protocols. [Online] Available: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.84.1152

100 [20] Munir Majdalawieh1, Francesco Parisi-Presicce, Duminda Wijesekera, DNPSec: Distributed Network Protocol Version 3 (DNP3) Security Framework. [Online] Available: http://www.acsac.org/2005/techblitz/majdalawieh.pdf [21] Grant Gilchrist, PE, FnerNex Corporation, Okotoks, 2008, Secure Authentication for DNP3. [Online] Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4596147

[22] A. B. M. Omar Faruk, KTH Electrical Engineering Master Thesis, Stockholm, Sweden, June 2008, Testing & Exploring Vulnerabilities of the Applications Implementing DNP3 Protocol.[Online] Available: http://www.kth.se/ees/omskolan/organisation/centra/ekc2/publications/modules/publications_polo poly/reports/2008/XR-EE-ICS_2008_020.pdf [23] Modbus Organization, Modbus Application Protocol Specification [Online] Available: http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf [24] Peter Huitsing, Rodrigo Chandia, Mauricio Papa, Sujeet Shenoi, Department of Computer Science, University of Tulsa, August 2008, Attack taxonomies for the Modbus protocols. [Online] Available: http://www.ee.kth.se/php/modules/publications/reports/2008/XR-EEICS_2008_020.pdf [25] Modbus Organization, MODBUS over Serial Line Specification and Implementation Guide [Online] Available: http://www.modbus-ida.org/tech.php [26] Modbus Organization, MODBUS messaging on TCP/IP implementation guide [Online] Available: http://www.modbus-ida.org/toolkit.php [27] Igor Nai Fovino, Andrea Carcano, Marcelo Masera and Alberto Trombetta, 2009, Design and implementation of a secure Modbus protocol. [Online] Avaiable: http://www.springerlink.com/content/14h764755h412m15/

[28] Nai Fovino, A. Carcano, M. Masera, Institute for the Protection and Security of the Citizen Joint Research Centre, EU Commission via E. Fermi 1, 21027 Ispra, Italy, 2009, A Secure and Survivable Architecture for SCADA Systems. [Online] Available: http://portal.acm.org/citation.cfm?id=1603817 [29] Andrew Wright, N-Dimension Solutions, Daniel Thanos, GE Digital Energy, Carl Gunter, University of Illinois, Ed Beroset, Elster, Frances Cleveland, Xanthus Consulting, William Whyte, Ntru, Gilbert Sorebo, SAIC, Matthew Carpenter, InGuardians, Chris Ewing, SEL, Stan Klein, OSECS,

101 Tim Yardley, University of Illinois, James Pace, Silver Springs Networks, Mauricio Papa, University of Tulsa, Don Berkowitz, S&C Electric Company, Bruce Barnett, GE Research, March 29, 2010, Bottom-Up Cyber Security Analysis of the Smart Grid. [30] David Heyerman, May 3, 2009, the Smart Grid Frontier: Wide Open. [Online] Available: http://tinycomb.com/2009/05/03/what-is-the-smart-grid/ [31] Ruggedcom, Typical Cyber Security Network Architecture [Online] Available: http://www.ruggedcom.com/applications/cyber-security/ [32] Tsang, P.P. and Smith, S.W., 2008, in IFIP International Federation for Information Processing, Volume 278; Proceedings of the IFIP TC 11 23rd International Information Security Conference; Sushil Jajodia, Pierangela Samarati, Stelvio Cimato; (Boston: Springer), pp. 445 459. [Online] Available: http://www.springer.com/computer/security+and+cryptology/book/978-0-387-09698-8 [33] Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies [Online] Available: http://csrp.inl.gov/Documents/Defense%20in%20Depth%20Strategies.pdf [Insert your source documentation according to your departmental style guide]. [34] Dong-joo Kang, Hongik University, Korea, Rosslin John Robles, 2Department of Multimedia Engineering, Hannam University 133 Ojeong-dong, Daeduk-gu, Daejeon, Korea, International Journal of Advanced Science and Technology, Volume 8, July, 2009 Compartmentalization of Protocols in SCADA Communication [Online] Available: http://www.sersc.org/journals/IJAST/vol8/4.pdf