ZBIGNIEW KALBARCZYK EMAIL: KALBARCZ@ILLINOIS.EDU UNIVERSITY OF - - PowerPoint PPT Presentation

zbigniew kalbarczyk
SMART_READER_LITE
LIVE PREVIEW

ZBIGNIEW KALBARCZYK EMAIL: KALBARCZ@ILLINOIS.EDU UNIVERSITY OF - - PowerPoint PPT Presentation

Oct 06, 2023 154 likes •381 views

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID ZBIGNIEW KALBARCZYK EMAIL: KALBARCZ@ILLINOIS.EDU UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN JANUARY 2014 Outline Problem Attack Model

slide-1
SLIDE 1

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID ZBIGNIEW KALBARCZYK

EMAIL: KALBARCZ@ILLINOIS.EDU

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN

JANUARY 2014

slide-2
SLIDE 2

2

Outline

  • Problem
  • Attack Model
  • Attack Scenario
  • Semantic Security Analysis Framework
  • Evaluation
  • Conclusions
slide-3
SLIDE 3

3

Power Grid Operations

  • Supervisory Control And Data Acquisition (SCADA) system

– Monitor and control geographically distributed assets in industrial control environment, e.g., power grid or gas pipeline

  • To boost control efficiency, SCADA systems integrate

proprietary protocols into IP-based network infrastructure

Power Generator Transmission Network Distribution Network Household Environment SCADA

slide-4
SLIDE 4

4

Challenges of Control-related Attacks

  • Control-related attacks: a sophisticated attacker can exploit

system vulnerabilities and use a single maliciously crafted control command to bring system in insecure/unsafe state

  • Hard to detect based solely on states of physical

components

  • Classical state estimation and contingency analysis methods

are performed periodically on small range of system changes

  • Measurements can be compromised during network

communications

  • Hard to detect based solely on network activities
  • Malicious commands may not generate a network anomaly
slide-5
SLIDE 5

5

Attack Model

  • We DO NOT TRUST “intelligent” devices
  • Computing devices in the control center
  • Intelligence field devices in substations
  • Control network
  • We TRUST measurements of power usage, current, and

voltage directly obtained from sensing devices in substations

  • Concurrent physical accesses to and tampering with a large

number of distributed sensors is hard to achieve in practice

Control Center Control Network Remote Site (Substation)

field devices actuators & sensors

slide-6
SLIDE 6

6

Attack Scenario Assumptions

  • An attacker can penetrate the intelligent

components in the power system

  • An attacker can issue maliciously crafted control

commands that can put the power system into an insecure state

slide-7
SLIDE 7

7

Attack Scenario Stages

Access Control Center Access Field Devices Data Historian State Estimation & Contingency Analysis Insider Remote Access Option 1: attackers learn network topology, estimate system states, and determine attack strategy, e.g., which transmission lines to open. Option 2: open lines at random when systems operate under high generations or load demands. Installed Malware in Substations Attack Entry Points Attack Preparation Stage (offline)

  • 1. Generate legitimate but malicious network packets (a sample DNP3 packet to
  • pen 4 breakers simultaneously )

CB 04 0C 28 04 00 01 04 … 03 04 … 05 04 … 06 04 … IP + TCP Headers

  • 2. To hide system changes, intercept and/or alter the network packets sent to the

control center in response to the commands Attack Execution Stage DNP3 Headers Four Control Relay Objects Device Index Control Code

slide-8
SLIDE 8

8

Semantic Analysis Framework

SCADA Master

Substation Control Center

DNP3 Slave Actuators & Sensors Measurements: power usage, current, and voltage IDS Instance #1 Control Commands IDS Instance #2 State Estimation & Contingency Analysis

A B C

Generated Alerts

1) Commands issued to the remote site 2) Measurements obtained from sensors

Semantic Analysis Framework

slide-9
SLIDE 9

9

Semantic Analysis Procedure

  • Extract parameters of control commands from SCADA

network packets

  • Obtain trusted measurements from sensors in substations
  • Trigger contingency analysis to estimate consequences of

executing the commands carried by the network packets

  • Response to detected intrusions
  • The semantic analysis framework do not impact the normal

functioning of SCADA system

– no additional delay introduced in the communication between the SCADA and substations

slide-10
SLIDE 10

10

Monitor Control Commands

  • Bro intrusion detection system (IDS) is adapted to analyze

network packets transmitted using the DNP3 protocols

  • Network IDS distinguishes critical commands from non-

critical ones

– Critical commands: commands that can operate physical devices and potentially change the system state Command Type Description Read Retrieve measurements from remote substations, e.g., read binary outputs Write (Critical) Configure intelligent field devices, e.g., open, edit, and close a configuration file Execute (Critical) Operate actuators or sensors, e.g., open or close a breaker connected to a relay

slide-11
SLIDE 11

11

Evaluation Testbed Setup

  • Hardware and system software

– An Intel i3 (3.07 GHz) quad-core; 4 GB RAM, running Linux OS

  • Application software

– SCADA master and DNP3 slave implemented using open source DNP3 library – Produce synthetic DNP3 network traffic

  • Intrusion detection system

– Bro IDS with integrated DNP3 analyzer to monitor network traffic – Matpower, an open source Matlab toolbox for power flow analysis

slide-12
SLIDE 12

12

Effects of Malicious System Changes

  • SCADA master issues DNP3 network packets to change

power system states

– The traffic includes network packets, representing read, write, and execute commands – Include the maliciously crafted commands – IEEE 30-bus system analyzed

Cmd Type Description Event Pattern Read Request to read (i) static data and (ii) event data from relays Periodic event with interval of 1 second Write Request to (i) update the static configuration file and (ii)

  • pen/close an application in a relay

Poisson process with average command arrival interval of 50 seconds Execute Request to open/close a breaker of a relay Poisson process with average command arrival interval of 100 seconds

slide-13
SLIDE 13

13

IEEE 30-bus System

  • Malicious changes

– Increase generation (at bus 2, 13, 22, 23, and 27) by 50% – Increase load demand by 50% – Open 3 transmission lines at random – All changes simultaneously

slide-14
SLIDE 14

14

Procedure to Check System State

  • Check line status

– Voltage drop limit – the voltage at the receiving end (VR) and at the sending end (VS) of a single transmission line should satisfy the

  • perational condition VR / VS ≥ 0.95

– Steady-state stability limit – the maximum power that a line can carry.

  • Security Metric

– Number of insecure lines State Estimation Check Line Status Within Voltage Drop? Within Steady-state Limit? No Yes Yes insecure secure secure Malicious System Changes

slide-15
SLIDE 15

15

Effect of System Changes

  • Coordinated system changes

(i.e., combination of increase in generation and load demand, and line outage) put up to 9 additional lines in insecure conditions

  • To escape detection

an attacker may want to avoid making changes to many physical components

– attack when the system is most vulnerable, e.g., in presence of already high load demand – opening a few transmission lines may be sufficient to create a blackout

slide-16
SLIDE 16

16

Performance Evaluation: Setup

  • SCADA master is configured to simulate 24 hours of
  • perations

– 77,000 read commands – 1,800 write commands – 900 execute commands

  • Measurements

– the average execution time of network monitoring, e.g., filtering out noncritical commands and extracting parameters of critical ones – the time to carry on contingency analysis for different size test systems

slide-17
SLIDE 17

17

Performance Evaluation: Results

The time to estimate consequence of executing a command (~100ms) is almost three orders of magnitude higher than the time of the network monitoring (~0.1 ms)

monitor critical commands, extract their parameters and deliver to contingency analysis software Execute the contingency analysis to estimate consequences

  • f executing

a command

slide-18
SLIDE 18

18

Does Measured Performance Allow Timely Semantic Analysis on Critical Commands?

  • Yes !
  • Network traffic involved to carry critical commands in power

systems is still low

– many critical commands to operate substation devices are issued manually – the interval between control commands are on the order of seconds (or minutes)

  • There is a limited number of types of critical commands

– ignore uncritical commands to reduce the frequency of the semantic analysis

slide-19
SLIDE 19

19

Conclusions

  • Show that in the Power Grid SCADA, an attacker can use

legitimate, but maliciously crafted, commands to put the power system in insecure state

  • Propose a semantic analysis framework based on an IDS

extended with

  • network packet analyzer
  • power flow assessment tools

– to (preemptively) estimate the execution consequence of a command and prevent the system damage

  • Evaluated the approach on the IEEE 30-bus system

– the semantic analysis provides reliable detection of malicious commands with a small overhead

slide-20
SLIDE 20

20

Future Work

  • Improve performance of the state estimation

– consider different strategies as to how and when to re-compute the system state

  • Investigate response to a detected intrusion

– e.g., postpone a command

slide-21
SLIDE 21

21

Acknowledgments

  • Hui Lin
  • Adam Slagell
  • Peter Sauer
  • Ravishankar Iyer
  • Our sponsors: DOE, DHS, and NSF
slide-22
SLIDE 22

22

Current Status of the Software

  • The DNP3 analyzer is already included in the Bro IDS official

branch which you can download at: http://www.bro.org/download/index.html

– The source code of the analyzer can be found at: bro/src/analyzer/protocol/dnp3