Tommy MorrisDirector, Critical Infrastructure Protection CenterAssistant ProfessorElectrical and Computer EngineeringMississippi State University

morris@ece.msstate.edu(662)325-3199

Cyber Security Considerations for Electric Power Systems

Electronic Security Perimeter

Is this system air-gapped?

No.

But… •it’s fiber optic.•we own the network.•we own the wireless network.

Electronic Security PerimeterIs this system air gapped?

What is this?•Leased line from phone company?•Does the utility sell BW to 3rd parties?

No.

Common configuration

DMZ

Enterprise Network

Control Room

Outstation

WWW

Can malware infect the control room or outstation?

DMZ

Enterprise Network

Control Room

Outstation

WWW

Yes

Can malware infect the control room or outstation?

DMZ

Enterprise Network

Control Room

Outstation

WWW

Yes

What about serial? RS-232/485

Stuxnet

Take aways

Industrial control system networks are not commonly air gapped..

Industrial control systems can be infected by malware.

An electronic security perimeter alone is insufficient protection.

Need a defense in depth approach.

Risk Assessment

Should considerlikelihood of attackcost of attackimpact of attack

Compared tocost of preventionlikelihood of prevention

ECE 8990 Smart GridMSU

Interruption (Denial of Service)

An asset of the system is destroyed of becomes unavailable or unusable

Attack on availabilityDestruction of hardwareCutting of a communication lineDisabling the file management systemMay not be physical destruction. May be temporary.

DOS Prevention Monitor and react

Monitor network traffic for DOS attacksClose offending portsIs it OK to close a network port in an ICS

network? Test devices for vulnerability

○ Protocol mutation (fuzzing)○ Known attacks○ Floods

Share results (ethically)Force vendor to patch

ECE 8990 Smart GridMSU

InterceptionAn unauthorized party gains access to an

assetAttack on confidentialityWiretapping to capture data in a networkIntercepting a password -> badIntercepting a password file -> worseIntercepting ICS data from an RTU. Is that

bad?

ECE 8990 Smart GridMSU

ECE 8990 Smart GridMSU

ModificationAn unauthorized party not only gains

access but tampers with an assetAttack on integrityChange values in a data fileAlter a program to make it perform

differentlyModify content of messages transmitted on

a network

man-in-the-middle (MITM)

ECE 8990 Smart GridMSU

ModificationModification in ICS -> very badFeedback control uses

○ sensors to monitor physical process○ Controllers to control the physical process.

Modifying measured output, measured error, system input, or reference affects system output.

ECE 8990 Smart GridMSU

ModificationNeed to defend the sensor.Need to defend the device which

measures error.Need to defend the controller.Need to defend the communication

network.

ECE 8990 Smart GridMSU

ECE 8990 Smart GridMSU

FabricationUnauthorized party inserts counterfeit objects

into the systemAttack on authenticityInsertion of spurious messages in a networkAddition of records to a fileICS – insertion of

spurious/unwanted/unauthorized controlICS – adding data to a historian

ECE 8990 Smart GridMSU

ECE 8990 Smart Grid

ICS Example

MSU

Phasor Measurement

Unit (PMU)

GPS Clock

Phasor Data Concentrator (PDC)

Phasor Measurement

Unit (PMU)

Phasor Measurement

Unit (PMU)

Energy Management

System

NetworkAppliance

Error measurement,

Controller

Network

Sensor, reference

reference

Network

Network

RESEARCH AT MSU

Network Intrusion Detection for Industrial Control Systems Physical

Wireless IDS Not much at this level

Network, Transport Detect well known attacks

○ Tear drop, LAND, port scanning, Ping Common protocol rules

○ TCP, IP, UDP, ICMP

Application Layer Detect protocol mutations Detect protocol specific DOS attacks Model Based IDS to detect system level attacks

○ measurement injection○ command injection○ system state steering

Physical

Data Link

Network

Transport

Application

Most of our work is here.

IDS Framework for Synchrophasor Systems Synchrophasor systems being installed across country by

utilities with ARRA grants Improved electric grid visibility

○ Detect disturbances sooner

Wide area protection○ React to disturbances quickly to limit outage

IEEE C37.118 - Synchrophasor Network Protocol Need to develop Snort rules to

Protect against IEEE C37.118 protocol mutation type attacks

Detect reconnaissance, DOS, command injection, and measurement injection attacks

Read Spraberry has identified approximately 36 rules and is writing and testing now.

IDS framework for MODBUS

Reviewed MODBUS specification and developed a fuzzing framework.

Using fuzzing framework to guide rule development.

○ Rules for specific frame types○ Function codes in frames define payload contents○ Rules based upon relationships between frames

query and response must match

○ Response special cases – exception framesmatch defined exceptions to query function code and error

types

50 rules in developmentSnort

IDS Framework

ICS network

1. Radio Discovery < 24 hrs.2. Infiltration < 30 days3. Data Injection or Denial of

Service Attack4. Broken Feedback Control

Loop

Example AttackWireless Link

SNORT Intrusion Detection for Industrial Control Systems

MTU

pump

relief

pipeline

RTU

control logic

Set PointSystem ModeControl SchemePump OverrideRelief OverridePID SetpointPID GainPID ResetPID RatePID DBPID CT

OutputPump StateRelief StatePressure

tap

•Detect Attacks• Command Injection• Measurement Injection• Reconnaissance• Denial of Service

Snort

Cybersecurity Testing and Risk Assessment for Industrial Control Systems

PMU

ABC

PDC

AB

Substation

Router

MU-4000

PC

RTDS

Bus

Histor-ian

Cybersecurity Testing and Risk Assessment for Industrial Control Systems

Denial of Service

Known attacks

High volume traffic

Protocol mutation

Device Security

Assessment

Security features

Standards conformance

Port scan

Vulnerability scan

Confidentiality, Integrity

Password confidentiality

Password storage

Man-in-the-middle

•Many vulnerabilities identified and communicated to vendor and project partner.•All addressed

• Firmware fixes• New security features• System architecture changes

CIPC Lab Growth

Continue to add systems Currently designing SCADA lab

upgrades to increase diversity and complexity.

Needs RTDS Expansion Achilles Satellite Security

Analyzer

Center for Computer Security Research

National Forensics Training Center

Critical Infrastructure Protection Center

Cyber Security Education

Information and Computing Security

Computer Crime and Forensics

Network Security and Cryptography

Industrial Control System Security

Advanced Network Security

Advanced Digital Forensics

Trustworthy Computing

Internet Security Protocols

Scholarship Programs

NSF Scholarship for Service

DOD Information Assurance Scholarship

National Center of Academic Excellence in Information Assurance EducationNational Center of Academic Excellence in Research

Research Partners

Identify vulnerabilities, implement attacks, investigate impact on physical systems.

Develop security solutions; system protection, intrusion detection, attack resilience

Train engineers and scientists for control systems security careers.

CyberSecurity

IndustrialControl

Systems

Critical Infrastructure Protection Center

Tommy MorrisAsst. Prof.

Director, CIPCIndustrial Control System Security

Ray VaughnV.P. Research

Giles Distinguished ProfessorSoftware Engineering and

Computer Security

Dave DampierProfessor

Director, CCSRComputer Forensics

Malingham RamkumarAssoc. Prof.

Trustworthy Computing

Yogi DandassAssoc. Prof.

Root Kit, Hypervisor Detection

Wesley McGrewResearch Associate

Human Machine Interface Security, Software Vulnerability

and Exploitation

Read SpraberyBS CPE

Jeff HsuBS EE

Uttam AdhikariPHD ECE

Wei GaoPHD ECE

Shengyi PanPHD ECE

David MuddMS ECE

Quintin GriceMS ECE

Joseph JohnsonBS EE

Lalita NetiMS ECE

Robert GosselinBS EE

Thank you!