Tommy MorrisDirector, Critical Infrastructure Protection CenterAssistant ProfessorElectrical and Computer EngineeringMississippi State University

morris@ece.msstate.edu(662)325-3199

Electronic Security Perimeter

Is this system air-gapped?

No.

But… •it’s fiber optic.•we own the network.•we own the wireless network.

Electronic Security PerimeterIs this system air gapped?

What is this?•Leased line from phone company?•Does the utility sell BW to 3rd parties?

No.

Common configuration

DMZ

Enterprise Network

Control Room

Outstation

WWW

Can malware infect the control room or outstation?

DMZ

Enterprise Network

Control Room

Outstation

WWW

Yes

Can malware infect the control room or outstation?

DMZ

Enterprise Network

Control Room

Outstation

WWW

Yes

What about serial? RS-232/485

Stuxnet

Take aways

Industrial control system networks are not commonly air gapped, though the control system engineers may think it is.

Industrial control systems can be infected by malware.

Electronic security perimeter alone is insufficient.

Need a defense in depth approach.

Network Intrusion Detection for Industrial Control Systems Physical

Wireless IDS Not much at this level

Network, Transport Detect well known attacks

○ Tear drop, LAND, port scanning, Ping Common protocol rules

○ TCP, IP, UDP, ICMP

Application Layer Detect protocol mutations Detect protocol specific DOS attacks Model Based IDS to detect system level attacks

○ measurement injection○ command injection○ system state steering

Physical

Data Link

Network

Transport

Application

MSU Tommy Morris

Relay RelayCT CT

Transmission LineNetwork

Short circuit

Router

Relay tripped

Causal Network Graphs for Intrusion Detection Map power system scenarios to a graph

withNodes representing a set of time ordered

measureable eventsMultiple existing sources of data Unique path through graph for each

scenario Classify events real time

Causal Network Graphs for Intrusion Detection – Case Study

Power system eventsOver current fault – high current -> open breakerRemote trip – operator remotely opens breaker for

maintenanceLocal trip at face plate – technician trips relay at the

face plate Cyber Events - threats

command injection attack to remotely trip the relayman-in-the-middle (MITM) attack on synchrophasor

system (I=0)man-in-the-middle (MITM) attack on synchrophasor

system (I>Itrip)

Measureable Events

Relaybreaker status

Energy Management System (EMS)Command from EMS to remote trip

Synchrophasor system measurementscurrent measurements (60 samples per

second) Snort network signatures

detect network message to trip the relay

Bayesian Network Graph ->Causal Event Graph

PMU@T1

Relay

PMU@T2

Snort EMS

IH, Sn, RT

IN, Sn, RTIH, Sn,

RT

Breaker open

Breaker closed

IN I0IH

IH, Sn, RT

fault

command injection

remote tripMITM IPMU>ITrip

Causal Event Graph Signatures

IH, Sn, RT

Breaker open

I0

1) Fault

IN, Sn, RT

Breaker open

I0

2) Command Injection

IN, Sn, RT

Breaker open

I0

3) Scheduled

Trip

I0, Sn, RT

Breaker closed

I0

4) MITM Attack I=0

IH, Sn, RT

Breaker closed

IH

5) MITM Attack I>ITrip

IN, Sn, RT

Breaker open

I0

6) Local Trip

time

Hand mapped the signatures to a custom intrusion detection program.

Laboratory Validation – proof of concept

B1 B2

R1 R2G1

BR1 BR2

L

L1

Attack Detection

Program

EMS logs

Snort Relay logs

Synchrophasor Measurements

•RTDS Simulation•Implemented each scenario•Data loggers to capture measurements•Offline intrusion detection program•Successful classification of all scenarios

Future Work Causal Event Graphs Scale to more realistic systems

Breaker and halfRelay coordinationExpanded relaying scheme support

Real time IDS Move from Boolean to probabilistic IDS Automate graph to IDS signatures Measure accuracy and computational

cost

EMS

PDC

Historian

Eng’gAnalysis

PMU

PDC

PMU

Transmission LineNetwork

PMU

PDC

PMU

PMU

*not shown (the 3 circuits above are part of an interconnection).

Syncrophasor System Equipment

Phasor Measurement Unit (PMU)Synchronized phasor measurements1uS synchronization, IEEE 1588, GPS3-phase voltage phasors, current phasor

Phasor Data Concentrator (PDC)Concentrate PMU streamsDetect missing dataInterpolate for missing data

IEEE C37.118 -> IEC 61850 90-5

Snort Rules for Synchrophasor Systems Synchrophasor systems being installed across

country by utilities with ARRA grantsImproved electric grid visibility

○ Detect disturbances sooner

Wide area protection○ React to disturbances quickly to limit outage

IEEE C37.118 - Synchrophasor Network Protocol Need to develop Snort rules to

Protect against IEEE C37.118 protocol mutation type attacks

Detect reconnaissance, DOS, command injection, and measurement injection attacks

Snort Rules for Synchrophasor Systems – Protocol Mutation

2 Frame Type Check

Stand-alone SYNC[0]{6:4} != (0, 1, 2, 3, 4)

10 Polar Range Multi-packet

ConfigFrame: (FORMAT[0]{1} == 0 && FORMAT[0]{0} == 1) && DataFrame: (PHASORS[0:1] (Polar angle) > 31,416) || (PHASORS[0:1] (Polar angle) < -31,416)

11 Data Framesize check

Multi-packet

EXPECTED FRAMESIZE != ACTUAL FRAMESIZE

Simple check – is this a legal frame?

Does the polar range in the data frame match the description in the configuration frame?

Does the frame size match the frame size calculated from examing the configuration frame?

Retrofit SNORT Intrusion Detection for Industrial Control Systems

MTU

pump

relief

pipeline

RTU

control logic

Set PointSystem ModeControl SchemePump OverrideRelief OverridePID SetpointPID GainPID ResetPID RatePID DBPID CT

OutputPump StateRelief StatePressure

tap

•Detect Attacks• Command Injection• Measurement Injection• Reconnaissance• Denial of Service

Snort

Snort Protocol Rules for MODBUS Reviewed specification and developed a

fuzzing framework. Using fuzzing framework to guide rule

development.○ Rules for specific frame types○ Function codes in frames define payload contents○ Rules based upon relationships between frames

query and response must match

○ Response special cases – exception framesmatch defined exceptions to query function code and

error types

Cybersecurity Testing and Risk Assessment for Industrial Control Systems

Denial of Service

Known attacks

High volume traffic

Protocol mutation

Device Security

Assessment

Security features

Standards conformance

Port scan

Vulnerability scan

Confidentiality, Integrity

Password confidentiality

Password storage

Man-in-the-middle

•Many vulnerabilities identified and communicated to vendor and project partner.•All addressed

• Firmware fixes• New security features• System architecture changes

Identify vulnerabilities, implement attacks, investigate impact on physical systems.

Develop security solutions; system protection, intrusion detection, attack resilience

Train engineers and scientists for control systems security careers.

CyberSecurity

IndustrialControl

Systems

Critical Infrastructure Protection Center

Read SpraberyBS CPE

Power System Cybersecurity

Drew RicheyMS ECE

Ladder logic to Snort Rules

Uttam AdhikariPHD ECE

Power System Cybersecurity

Wei GaoPHD ECE

SCADA Intrusion Detection

Shengyi PanPHD ECE

Power System Cybersecurity

Tommy MorrisAsst. Prof.

Director, CIPCIndustrial Control System Security

David MuddMS ECE

SCADA Virtual Test Bed

Quintin GriceMS ECE

Relay Settings Automation

Joseph JohnsonBS EE

Control Systems

Lalita NetiMS ECE

Relay Settings Automation