2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing

The Design of ICS Testbed Based on Emulation,Physical,and Simulation(EPS-ICS

Testbed)

Haihui Gao, Yong Peng, Zhonghua Dai, Ting

Wang

Kebin Jia
College of Electronic Information and Control
Engineering
Beijing University of Technology
Beijing, China
e-mail: kebinj@bjut.edu.cn

Technical Assessment Research Lab

CNITSEC
Beijing, China
e-mail: gaohh@itsec.gov.cn

system, avoid the low fidelity, and realization of the unity of

research purposes and construction costs.
The architecture of ICS is described in section II. In
section III, we compare the different construction techniques
of ICS testbed. In Section IV, we present the architecture and
main components of our EPS-ICS Testbed. The experimental
results and conclusions in the last section.

AbstractThis paper begins with a discussion of the role and

value of industrial control system (ICS) testbed which apply a
universal, controllable, realistic, and repeatable experimental
platform to SCADA control system cybersecurity research.
According to ICS layered architecture, ICS testbed based on
emulation, physical, and simulation (EPS-ICS Testbed) is
designed and implemented. EPS-ICS Testbed enables
experimenters to create experiments with varying levels of
fidelity and is widely used in vulnerability digging,
comprehensive security training, facilitate development of
security standards, develop advanced control system
architectures and technologies that are more secure and
robust.

II.

COMMON ICS ARCHITECTURES

According to the ANSI/ISA-99 reference model,

common ICS architectures is shown in Fig.1[6][7]:

Keywords-Industrial
Control
System(ICS);
Network
Testbed;Cyberspace Security; Supervisory Control And Data
Acquisition (SCADA);Cyber-physical system

I.

INTRODUCTION

Industrial control system (ICS) are widely used in

industries areas like electricity, petroleum and petrochemical,
aviation, railway, water treatment, and they have become the
brain and backbone to the operation of these national critical
infrastructures[1].Due to the increased connectivity to
Internet and corporate network, ICS are no longer immune to
cyber attacks. In 2010, the stuxnet worm incident further
sounded the alarm for the seriousness and reality of ICS
cybersecurity[1][2].
In order to better understand how to protect ICS
systems[3-5], it is important to conduct cybersecurity
research to identify and mitigate existing vulnerabilities.
However, the security testing and evaluation on these
real/existing ICS systems are limited because of its alwayson services and risk of failure. Therefore, a key problem in
the research and development of security solutions for the
ICS system is the lack of proper experimental platform to
evaluate the security of the ICS system [2]. Establishment of
ICS testbed has become an urgent demand.
The EPS-ICS Testbed is discussed and designed in this
paper. It uses a combination of emulation, physical, and
simulation techniques to provide configurable fidelity. Only
using physical devices in core research components, the
other components using emulation or Simulation. It has
greatly reduced the cost of creating a full model of an ICS
978-0-7695-5120-3/13 $26.00 2013 IEEE
DOI 10.1109/IIH-MSP.2013.111

Figure1. ICS Reference Model

A. Level 3 Corporate Network

This level belongs to traditional IT category, general
deployment of services such as FTP, websites, mail servers,
ERP system and OA system, etc. It is described as Business
Planning and Logistics in the ANSI/ISA-95 standards, is
defined as including the functions involved in the businessrelated activities needed to manage a manufacturing
organization.
420

B.

Level 2 Supervisory Control LAN

This level includes the functions involved in monitoring
and controlling the physical process, general deployment of
services such as HMI, engineering workstation, and
historian.

The characteristics of three kinds of methodology are

shown in table 1.
TABLE I.

Methodology

C. Level 1 Control Network

This level includes the functions involved in sensing and
manipulating the physical process. Process control
equipment is similar. It reads data from sensors, executes a
control algorithm, and sends an output to a final element
(e.g., control valves or damper drives). Level 1 equipment
includes, but is not limited to: DCS controllers, PLCs, and
RTUs.

The software (virtual)

testbed constructed by
modeling methodology

Fidelity

Cost

Time

low

low

low

high

high

high

The
hybrid
testbed
constructed
by
both
replication and modeling
methodology
The
physical
testbed
constructed by replication
methodology

D. Level 0 I/O Network

Level 0 is the actual physical process. Level 0 includes
the sensors, actuators, and controlled process/controlled
object directly connected to the process and process
equipment.
III.

TABLE1 THE CHARACTERISTICS OF METHODOLOGY

IV.

CONSTRUCTION METHODOLOGY OF THE ICS

TESTBED

THE DESIGN AND IMPLEMENTATION OF EPS-ICS

TESTBED

The EPS-ICS Testbed framework is shown in Fig.2 and

has three main components: network testbed, physical
devices, and Matlab/Smulink. Our methodology enables the
creation of a ICS system using emulated, physical devices
,and simulated in a single EPS-ICS Testbed.

According to the different construction methodology,

ICS testbed is divided into the following three categories.
A. The physical testbed constructed by replication
methodology
The construction of such testbed is a copy of the real
system using the same physical devices and information
systems, such as the DOE-OE Control Systems Security
National SCADA Testbed(NSTB).It is obvious that building
a ICS testbed identical to the real system is highest fidelity
but cost prohibitive.
B. The software (virtual) testbed constructed by modeling
methodology
Difference from the physical testbed constructed by
replication methodology, the software testbed uses modeling
methodology for construction, instead of using physical
devices and information system. There is a diverse body of
literature which studies the modeling of ICS processes using
Matlab, Modelica, and Ptolemy simulation tools with
simulated network models using ns2, OMNet++,SSFnet [1016].These approaches are low fidelity with the use of virtual
devices. For the purpose of cyber security testing and
evaluation for ICS systems, model-based experiments offer a
richer class of scenarios. However, Software models of the
devices and system are typically not available or, if
available, lack features related to cyber security analysis.
C. The hybrid testbed constructed by both replication and
modeling methodology
Hybrid testbed integrates the methodology of replication
and model. It realizes the unity of research mission and
construction costs. An effective method to create a ICS
security experimentation platform is via a hybrid testbed.
Our EPS-ICS Testbed and LVC testbed[17] designed by
Vincent Urias belongs to hybrid testbed.

Figure2. The framework of EPS-ICS Testbed

Using the ICS reference model presented in the previous

Figure1, level 3 and level 2 of ICS layered architecture using
emulation methodology with our network testbed which

421

similar to Emulab[18]. Level 1 of ICS layered architecture

using replication methodology with physical devices. Level
0 of ICS layered architecture using the mathematical model
of controlled process with Matlab/Smulink.

dx
= ax + bu
dt

A. EMULATED
Network testbed , such as Emulab, DETERlab and
PlanetLab, giving researchers a wide range of environments
in which to develop, debug, and evaluate their systems[19].
We design a network testbed for corporate network(level
3) and supervisory control LAN (level 2)emulation. Our
network testbed allows experimenter to specify an arbitrary
network topology, giving experimenter a controllable,
predictable, and repeatable environment, including PC nodes
on which experimenter have full "root" access, running an
operating system of experimenter choice.

Figure3. The interfaces between physical devices and Matlab/Smulink

V.

EXPERIMENTAL RESULT AND CONCLUSION

EPS-ICS Testbed goes on-line, the experimental results

are shown in Fig.4:

B. PHYSICAL
Control network(level 1) is core layer of ICS reference
model. level 1 equipments include DCS controllers, PLCs,
RTUs, and industrial Ethernet protocol which are the focus
of information security research. Therefore, we use physical
devices to build the control network in order to achieve highfidelity and meet research missions.
C. SIMULATED
I/O Network(level 0) is the actual physical process. Level
0 includes the sensors, actuators, and controlled
process(steam boiler, water tank, and heat exchanger,
etc.).We use Matlab/Smulink to design a variety of
mathematical models of controlled process for I/O Network.
The mathematical models of controlled process refer to
the function relationship of production process input and
output. Equation (1) is as follow:

y (t ) = F (u (t ), f (t ))

(a) Network testbed

(1)

Where u(t) are control variables, f(t) are disturbance

variables, and y(t) are controlled variables. Controlled
variables are also known as the output variables, such as
temperature, pressure, flow, level, etc. Control variables are
also known as the input variables. When there are multiple
input variables, select one or several as control variables, the
other input variables as disturbance variables.

(b) physical devices and the mathematical models of controlled process

Figure4. The experimental results of EPS-ICS Testbed

HMIs host and Engineers host in Fig.4(a) belong to

Supervisory Control LAN(level 2) and Web Servers belongs
to the Corporate Network(level 3). The physical devices in
Fig.4(b) belong to the Control Network(level 1). The
mathematical models of controlled process in Fig.4(b)
belong to I/O Network(level 0).
In this paper, we have developed an hybrid ICS testbed
comprised of emulated, physical, and simulated
components(EPS-ICS Testbed). EPS-ICS Testbed enables
higher fidelity representations of key computing applications
or network devices while still leveraging the scalability and
cost advantages of simulation tools.
EPS-ICS Testbed provides a experimental platform to
assess cyber-attack scenarios with varying levels of fidelity,
examine effects of zero-day attacks, explore SCADAspecific protocols, applications and devices, and examine
effects of patches and un-patched systems. Our EPS-ICS

D. INTERFACE
Using EPS-ICS Testbed for building ICS allows the
experimenter to replicate the interactions between the ICS
components. The ICS components, such as the corporate
network and the controllers, can be implemented as
simulation, emulation, or physical components with the
interface discussed in this section.
The core function of interfaces between network testbed
and physical devices is to implement IP routing. It may be a
router or layer 3 switch.
As shown in Fig.3, the interfaces between physical
devices and Matlab/Smulink mainly implemented by the PCI
modules. PCI modules complete data exchange between
Matlab/Smulink model and external controller.

422

[11] Varga A. The OMNeT++ discrete event simulation system[C]//

Proceedings of the European Simulation Multiconference
(ESM2001).Prague, Czech Republic:The European Multidisciplinary
Society for Modelling and Simulation Technology(EUROSIS), 2001:
319-324.
[12] The LEGO Group,Lego Mindstroms NXT[Z/OL]. (2012-07-03),
http://mindstorms.lego.com.
[13] D. C. Bergman. Power grid simulation, evaluation, and test
framework. Masters thesis, University of Illinois at UrbanaChampaign, Urbana, Illinois, May 2010.
[14] DavisC, TateJ, OkhraviH, et al. SCADA Cyber Security Testbed
Development[C]//the 38th North American in Power Symposium,
2006 (NAPS 2006)., USA: IEEE Press, 2006: 483-488.
[15] A. T. Al-Hammouri, M. S. Branicky, and V. Liberatore.Cosimulation tools for networked control systems. In Proceedings of the
11th international workshop on Hybrid Systems: Computation and
Control, HSCC 08, pages: 1629, Berlin, Heidelberg, 2008.
Springer-Verlag.
[16] Alefiya Hussain and Saurabh Amin.NCS Security Experimentation
using DETER. Proceedings of the 1st international conference on
High Confidence Networked Systems,2012:73~80.
[17] Vincent Urias, Brian Van Leeuwen, and Bryan Richardson.
Supervisory Command and Data Acquisition (SCADA) system Cyber
Security Analysis using a Live,Virtual, and Constructive (LVC)
Testbed. 2012 IEEE Military Communications Conference,2012.11.
[18] B. White, J. Lepreau, L. Stoller, R. Ricci, S. Guruprasad,M. Newbold,
M. Hibler, C. Barb, and A. Joglekar. An Integrated Experimental
Environment for Distributed Systems and Networks. In Proc. of the
5th Symp. on Operating Systems Design and Impl. (OSDI), pages
255270, Boston, MA, Dec. 2002.
[19] http://www.emulab.net

Testbed also provides a rich training environment to learn

and test how to respond to potential cyber-attacks.
The further effort of the thesis is to design a variety of
attack scenarios and execute security assessment
demonstration experiment.
REFERENCES
[1]

Yong Peng,Changqing Jiang,Feng Xie et al., Study on the research

progress of industrial control system cybersecurity. Journal of
Tsinghua University2012, 5210:1396-1408
[2] Carlos Queiroz, Abdun Mahmood, Jiankun Hu, et al.,Building a
SCADA Security Testbed. NSS-Network and System Security,2009:
357-364
[3] Bessani, A., et al., The Crutial Way of Critical Infrastructure
Protection. Security & Privacy, IEEE, 2008. 6(6): 4451.
[4] Brundle, M. and M. Naedele, Security for Process Control Systems:
An Overview. Security & Privacy, IEEE, 2008.6(6): 24-~29.
[5] Dzung, D., et al., Security for industrial communication systems.
Proceedings of the IEEE, 2005. 93(6):1152~1177.
[6] Moses D. Schwartz, John Mulder, Jason Trent, et al., Control System
Devices: Architectures and Supply Channels Overview, SANDIA
REPORT(SAND2010-5183),2010.8:11~12
[7] ISA, ANSI/ISA99.00.012007 Security for Industrial Automation
and Control Systems Part 1:Terminology, Concepts, and Models,
International Society for Automation, 2007.10.
[8] Smith Brian P., Stewart E. John,and Halbgewachs Ron,etc. Cyber
security interoperability - The Lemnos project.53rd ISA POWID
Symposium ,2010,483:50~59.
[9] National SCADA Test Bed http://www.oe.energy.gov/nstb.htm
[10] Alefiya Hussain and Saurabh Amin. NCS Security Experimentation
using DETER.Proceedings of the 1st ACM International Conference
on High Confidence Networked Systems(HiCoNS'12 -),2012:73-79.

423