Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for - - PDF document

presentations
SMART_READER_LITE
LIVE PREVIEW

Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for - - PDF document

Mar 28, 2023 130 likes •276 views

Trustworthy Cyber Infrastructure for the Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for Power Quantitative & Qualitative Evaluation Presented by David Nicol TCIP Year 1 Review, December 11, 2006 University of

slide-1
SLIDE 1

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

8 7 University of Illinois • Dartmouth College • Cornell University • Washington State University

TCIP: Trustworthy Cyber Infrastructure for Power

Quantitative & Qualitative Evaluation

Presented by David Nicol

TCIP Year 1 Review, December 11, 2006

88 University of Illinois • Dartmouth College • Cornell University • Washington State University

Aims and Approaches

TCIP is developing technologies to secure a next-generation power grid Our group is:

  • developing tools and methodologies for evaluating and

validating these

  • developing tools and methodologies for evaluating

existing system configuration with respect to best practice recommendations and global policies

  • studying the sensitivity of the power grid infrastructure to

various kinds of cyber attacks

slide-2
SLIDE 2

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

89 University of Illinois • Dartmouth College • Cornell University • Washington State University

Personnel

  • PIs/Senior Staff

– Roy Campbell – Tom Overbye – David Nicol – Bill Sanders – Bob Thomas

  • Staff

– Carl Anderson – Vishnu Ranganathan – Ray Zimmerman

  • Graduate Students

– Scott Bai – Matt Davis – Chris Grier – Hamed Okhravi – Sundeep Reddy – Sankalp Singh – Zeb Tate

  • Undergraduate

– Steve Hanna

90 University of Illinois • Dartmouth College • Cornell University • Washington State University

Year 1 Research Accomplishments

Simulation – Emulation, transparent integration of IP devices {project,external} servers, routers, clients – Modbus speaking simulators of power grid, and SCADA control center – Algorithms for high speed virtual background network traffic – Cyber-attack models (algorithms/optimizations + implementation)

  • Random scanning worms, flash-worms, packet reflection, packet redirection

Intruder client – New man-in-middle code attack on Modbus timing – Database of co-opted traffic Power Markets – Experimental design + technical support, co-opting auction information System Evaluation – Methodology for analyzing properties of system configuration vis a vis formalized interpretation of best practices – Tool (APT) for analyzing firewall configurations vis a vis formalized global policy Integration – Network simulation/emulation operationally integrated with

  • Simulated power grid and SCADA
  • Simulated power auction server
  • Intruder client

– Conceptually integrated with system evaluation

slide-3
SLIDE 3

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

91 University of Illinois • Dartmouth College • Cornell University • Washington State University

Project: RINSE Simulator

RINSE links virtual network and devices with physical devices

  • physical devices have virtual

stand-ins Traffic from/to external devices trapped and remapped within simulator

92 University of Illinois • Dartmouth College • Cornell University • Washington State University

RINSE Simulator

Significant sw engineering

  • Refactoring
  • Documentation
  • Updated revision control

Dynamic network display of attacks Malware models

  • Packet reflection, packet redirection
  • Dynamic link failure

Attack models

  • Bandwidth consumption optimization
  • Impeding / subverting flows
  • Spyware / botnets

Scalable proxy

  • riented

networking Attacker tools

  • Modbus timing attack
  • captured traffic database

RTT 0.5 1 1.5 2 2.5 3 3.5 2 10 20 40 50 clients max ave min

Experimental evaluation of DDoS attack on power grid networking

cache Middleman SCADA Device request forwarded request stale reply reply (Modbus master) (Modbus slave)

slide-4
SLIDE 4

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

93 University of Illinois • Dartmouth College • Cornell University • Washington State University Numerical integration i f(I,ε)

Infection number

TNI sampling

RINSE Traffic Models of Attack

  • Hybrid discrete-continuous model of worm traffic

Validated against detailed Packet-oriented model Optimal execution policy subject to accuracy constraint Very fast execution Optimizations to backbone simulation

94 University of Illinois • Dartmouth College • Cornell University • Washington State University

Project: Power Grid Communication/Control Simulation

  • We are in the process of developing a power grid

communication/control simulation that has four distinct parts:

  • 1. The power grid itself is modeled using PowerWorld

Simulator, a commercial software package

  • 2. The SCADA system, which is used to monitor and control

the power grid

  • 3. The RTUs and IEDs

– Measure power grid values, and report these values to SCADA (or other control packages) – Receive SCADA commands and then modify the power grid

  • 4. The communication network, which is simulated using

RINSE

slide-5
SLIDE 5

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

95 University of Illinois • Dartmouth College • Cornell University • Washington State University

PowerWorld Simulator

  • PowerWorld Simulator is a commercial power system

analysis package that can simulate power systems in the time frame of minutes to days – This is the time frame in which operator intervention

  • ccurs via SCADA, and also some automatic control such

as automatic generation control (AGC)

  • Simulator is currently being modified by PowerWorld to

support the millisecond time frame (transient stability) – This is the time frame in which many automatic control actions occur, such as relay operations

  • Simulator can model power systems of just about any size
  • Simulator has server-based remote access that provides the

necessary hooks to interact with the TCIP simulations

96 University of Illinois • Dartmouth College • Cornell University • Washington State University

PowerWorld Simulator Models

A relatively small power ten bus (node) grid model will be used in today’s demonstration

Bloom ingt on D ecat ur Pe or ia Springfield Rock for d 89% B M VA 93% B M VA 86% B M VA 87% B M VA 105% B MV A

In the future larger models with thousands of buses can be used to allow simulations with many different players

slide-6
SLIDE 6

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

97 University of Illinois • Dartmouth College • Cornell University • Washington State University

SCADA System

  • SCADA stands for Supervisory Control and Data Acquisition
  • During the first year a SCADA system has been developed to provide

human interaction with the power grid.

  • TCIP SCADA currently uses the Modbus/TCP protocol to query RTUs

and other devices such as IEDs. – The use of Modbus/TCP allows the TCIP SCADA to communicate both with simulated and action devices TCIP SCADA

  • ne-line diagram

human interface

98 University of Illinois • Dartmouth College • Cornell University • Washington State University

Simulated RTU and RINSE

  • During the first year a simulated RTU has been developed.
  • Simulated RTU is continually measuring (querying) the power

system, with periodic data send to the SCADA

  • SCADA control requests are immediately processed by the

RTU and then implemented on the power system – This simulates the action of actual power system control systems such as breakers and generator control systems

  • All communication between the RTU and SCADA goes

through RINSE to simulate the communication system

slide-7
SLIDE 7

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

99 University of Illinois • Dartmouth College • Cornell University • Washington State University

Complete Power Grid Communication/Control

TCIP SCADA RINSE

Modbus/TCP

Simulated RTU(s) Power grid modeled with PowerWorld Simulator

  • Integration of three distinct simulators

– Power generation – SCADA control – Networking

  • Accomplishments

– Sophisticated networking to support integration – Non-trivial modeling of RTU and Modbus protocol – Demonstration of possible cyber-attacks on power grid

10 University of Illinois • Dartmouth College • Cornell University • Washington State University

Project : Man-in-Middle Attacks

RTU (Modbus slave)

Request value of Specific register

  • r memory

location

(Modbus master)

network

Value returned

  • Modbus protocol requires no time-stamp or sequence number
  • Subject to man-in-middle attack that offers old data for every

master request

slide-8
SLIDE 8

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

10 1 University of Illinois • Dartmouth College • Cornell University • Washington State University

Man-in-Middle Attacks

  • Modbus protocol requires no time-stamp or sequence number
  • Subject to man-in-middle attack that offers old data for every

master request

RTU (Modbus slave)

Request value of Specific register

  • r memory

location

(Modbus master)

network

Value returned Middleman

Cache of slave state Subversion of routing every request answered from cache every request mirrored, every response cached Implemented in attacker client

10 2 University of Illinois • Dartmouth College • Cornell University • Washington State University

Project : Power Auction

Powerweb simulator used for education in power auction – Each subject play-roles power generator bidding in ISO auction – Powerweb integration with RINSE demonstrated – Planning experiments to assess impact of covertly obtained information on market results

  • RINSE emulates realistic spyware / botnet architecture

PowerWeb ISO RINSE

slide-9
SLIDE 9

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

10 3 University of Illinois • Dartmouth College • Cornell University • Washington State University

Spyware Attack

  • Designed and implemented copy/forward attack at host interface
  • Implemented trapped traffic database/remote query capability
  • Supports analysis of impact that illegally obtained data has on auction

Trapped traffic PowerWeb ISO

network Cheating actor RINSE

Copied traffic Copied traffic 10 4 University of Illinois • Dartmouth College • Cornell University • Washington State University

Project: Access Policy Assessment

  • Check conformance of aggregate policy implementation w.r.t.

access against global access policy

SeLinux TE and RBAC rules Cisco PIX rules Iptables rules Unified Rule Form

XML

Global Policy

Consistency Checker

Formal access rules Other Sources

Complete report of constraint violation

XML

Host-based Firewalls Router-based Dedicated Firewalls OS-based Access Control Legend Secure collection Offline analysis

Dynamic event report of new violations

Online change monitoring & analysis SeLinux TE and RBAC rules Cisco PIX rules Iptables rules Unified Rule Form

XML

Global Policy

Consistency Checker

Formal access rules Other Sources

Complete report of constraint violation

XML

Host-based Firewalls Router-based Dedicated Firewalls OS-based Access Control Legend Secure collection Offline analysis

Dynamic event report of new violations

Online change monitoring & analysis

APT Tool implemented

  • exhaustive analysis
  • statistical analysis

Policy objective : isolation of PCS. 80 violations in under 10s root cause identified Testbed : 2 routers, host iptables Example

slide-10
SLIDE 10

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

10 5 University of Illinois • Dartmouth College • Cornell University • Washington State University

Access Policy Tool

  • APT transforms system description into rules graph
  • Graph nodes represent policy actions
  • Paths through graph represent sequence of policy decisions

leading to final disposition

10 6 University of Illinois • Dartmouth College • Cornell University • Washington State University

Project: Security Assessment

Automated Security Assessment of Critical Cyberinfrastructure

Sample Workflow

Step 1: Aggregate Information from field sensors (authenticity, confidentiality) Step 2: Send sensor information to CC (confidential, integrity) Step 3: Receive control information from CC (authenticity, integrity)

Power Grid Workflow Power Grid CIM description of assets

Trust Analysis

Derived Predicates Security Concerns

slide-11
SLIDE 11

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

10 7 University of Illinois • Dartmouth College • Cornell University • Washington State University

Security Assessment

Analyze critical cyberinfrastructure and workflow descriptions with respect to practices, policies, and threats

Sample Workflow

Step 1: Aggregate Information from field sensors (authenticity, confidentiality) Step 2: Send sensor information to CC (confidential, integrity) Step 3: Receive control information from CC (authenticity, integrity)

Power Grid Workflow Power Grid CIM description of assets

Trust Analysis

Derived Predicates Security Concerns

Approach : – Use standardized schema (CIM) to describe asset and workflow security attributes

  • Convert to prolog terms and predicates

– Transform high level concerns into prolog predicates, for examples:

  • NERC CIP 005 best practices
  • Threat Model

– Build model of deployed system in prolog – Use prolog engine to discover deviations of implementation from best practices

10 8 University of Illinois • Dartmouth College • Cornell University • Washington State University

Security Assessment

Build tool chain for automated security assessment and vulnerability analysis of the power grid cyberinfrastructure Sample Workflow

Step 1: Aggregate Information from field sensors (authenticity, confidentiality) Step 2: Send sensor information to CC (confidential, integrity) Step 3: Receive control information from CC (authenticity, integrity)

Power Grid Workflow Power Grid CIM description of assets

Trust Analysis

Derived Predicates Security Concerns

Results (using executable first-order logic) : – Annotated common cyberinfrastructure components with additional security properties – Derived security model from

  • CIM description of the major components in Intelligrid

architecture

  • Workflow descriptions of tasks and attacks

– Derived security requirements from

  • Case studies of threats on existing cyberinfrastructure
  • CIP 005 recommendations

– Analysis of whether given cyberinfrastructure installation supports given workflow security needs. – Automated security assessment of vulnerabilities in example and experimental cyber installation models based on CIP and case study security requirements

slide-12
SLIDE 12

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

10 9 University of Illinois • Dartmouth College • Cornell University • Washington State University

Future Plans : Network Simulator

  • RINSE server

– Remote model assembly, execution, and evaluation – Integration of simulator’s network database with security evaluation tools

  • Integrated analysis, simulation, experimental design
  • Modeling activity

– Background networking to support TCIP research

  • Algorithms/optimizations to minimize computational

effort subject to videlity constraints – Dynamic topology

  • Support dynamic quarantine policy
  • Testbed design and implementation

11 University of Illinois • Dartmouth College • Cornell University • Washington State University

Future Plans: Power Simulator

  • Expand PowerWorld protocol to include more control actions
  • Incorporate hardware into simulation setup
  • Develop new scenarios working with other research groups
slide-13
SLIDE 13

University of Illinois • Dartmouth College • Cornell University • Washington State University

Trustworthy Cyber Infrastructure for the Power Grid

Presentations

11 1 University of Illinois • Dartmouth College • Cornell University • Washington State University

Future Plans: Security Evaluation

  • Extend our work to include:

– Intelligrid architecture – CIM models of existing and future devices, software and protocols – Security Guidelines for the Electricity Sector (NERC) including more CIP documents – Workflows, attacks, threat models, dependency models

  • Extend our formal verification techniques with modeling

approaches like Maude

  • Develop formal model for defining cyberinfrastructure security
  • Analyze security requirement guidelines and policies for

inconsistencies

  • Study actual cyber attacks and discovered vulnerabilities on cyber

infrastructures to verify sufficiency of Security Guidelines.

  • Examine a framework for more formal specifications of the

Security Guidelines and requirements

  • Determine the tool architecture and algorithms that would help

designers of cyber infrastructures build more secure installations

1 1 University of Illinois • Dartmouth College • Cornell University • Washington State University