Cyber Security
Considerations for
Electric Power Systems
Tommy Morris
Director, Critical Infrastructure Protection Center
Assistant Professor
Electrical and Computer Engineering
Mississippi State University
morris@ece.msstate.edu
(662)325-3199
Electronic Security Perimeter
Is this system air-gapped?
No.
But…
•it’s fiber optic.
•we own the network.
•we own the wireless network.
Electronic Security Perimeter
Is this system air gapped?
No.
What is this?
•Leased line from phone company?
•Does the utility sell BW to 3rd parties?
Common configuration
Control Room
Outstation
DMZ
WWW
Enterprise Network
Can malware infect the control
room or outstation? Yes
Control Room
Outstation
DMZ
WWW
Enterprise Network
Can malware infect the control
room or outstation? Yes
Control Room
Outstation
DMZ
WWW
Enterprise Network
What about serial? RS-232/485
Stuxnet
Take aways
Industrial control system networks are
not commonly air gapped..
 Industrial control systems can be
infected by malware.
 An electronic security perimeter alone is
insufficient protection.
 Need a defense in depth approach.

Risk Assessment

Should consider
 likelihood of attack
 cost of attack
 impact of attack

Compared to
 cost of prevention
 likelihood of prevention
Interruption (Denial of Service)
 An asset of the system is destroyed of






MSU
becomes unavailable or unusable
Attack on availability
Destruction of hardware
Cutting of a communication line
Disabling the file management system
May not be physical destruction.
May be temporary.
ECE 8990 Smart Grid
DOS Prevention

Monitor and react
 Monitor network traffic for DOS attacks
 Close offending ports
 Is it OK to close a network port in an ICS
network?

Test devices for vulnerability
○ Protocol mutation (fuzzing)
○ Known attacks
○ Floods
 Share results (ethically)
 Force vendor to patch
Interception
 An unauthorized party gains access to an





MSU
asset
Attack on confidentiality
Wiretapping to capture data in a network
Intercepting a password -> bad
Intercepting a password file -> worse
Intercepting ICS data from an RTU. Is that
bad?
ECE 8990 Smart Grid
MSU
ECE 8990 Smart Grid
Modification
 An unauthorized party not only gains




access but tampers with an asset
Attack on integrity
Change values in a data file
Alter a program to make it perform
differently
Modify content of messages transmitted on
a network
man-in-the-middle (MITM)
MSU
ECE 8990 Smart Grid
Modification
 Modification in ICS -> very bad
 Feedback control uses
○ sensors to monitor physical process
○ Controllers to control the physical process.
 Modifying measured output, measured error,
system input, or reference affects system
output.
MSU
ECE 8990 Smart Grid
Modification
 Need to defend the sensor.
 Need to defend the device which
measures error.
 Need to defend the controller.
 Need to defend the communication
network.
MSU
ECE 8990 Smart Grid
MSU
ECE 8990 Smart Grid
Fabrication
 Unauthorized party inserts counterfeit objects





MSU
into the system
Attack on authenticity
Insertion of spurious messages in a network
Addition of records to a file
ICS – insertion of
spurious/unwanted/unauthorized control
ICS – adding data to a historian
ECE 8990 Smart Grid
MSU
ECE 8990 Smart Grid
ICS Example
reference
GPS Clock
Network
Phasor
Phasor
Measurement
Phasor
Measurement
Unit
(PMU)
Measurement
Unit
(PMU)
Unit (PMU)
Sensor, reference
Network
Network
Phasor Data
Concentrator (PDC)
Network
Appliance
MSU
Energy Management
System
Error
measurement,
Controller
ECE 8990
Smart Grid
Network Intrusion Detection for
Industrial Control Systems

Physical
 Wireless IDS
 Not much at this level

Physical
Network, Transport
 Detect well known attacks
Data Link
○ Tear drop, LAND, port scanning, Ping
 Common protocol rules
Network
○ TCP, IP, UDP, ICMP

Application Layer
 Detect protocol mutations
 Detect protocol specific DOS attacks
 Model Based IDS to detect system level attacks
○ measurement injection
○ command injection
○ system state steering
Most of our
work is here.
Transport
Application
IDS Framework for
Synchrophasor Systems

Synchrophasor systems being installed across country
by utilities with ARRA grants
 Improved electric grid visibility
○ Detect disturbances sooner
 Wide area protection
○ React to disturbances quickly to limit outage
 IEEE C37.118 - Synchrophasor Network Protocol

Need to develop Snort rules to
 Protect against IEEE C37.118 protocol mutation type
attacks
 Detect reconnaissance, DOS, command injection,
and measurement injection attacks
 Read Spraberry has identified approximately 36
rules and is writing and testing now.
IDS framework for MODBUS


Reviewed MODBUS specification and
developed a fuzzing framework.
Using fuzzing framework to guide rule
development.
○ Rules for specific frame types
○ Function codes in frames define payload contents
○ Rules based upon relationships between frames
 query and response must match
○ Response special cases – exception frames
 match defined exceptions to query function code and
error types

50 rules in development
IDS Framework
ICS
network
Snort
Example Attack
Wireless Link
1. Radio Discovery < 24 hrs.
2. Infiltration < 30 days
3. Data Injection or Denial of
Service Attack
4. Broken Feedback Control
Loop
SNORT Intrusion Detection for Industrial
Control Systems
control logic
MTU
tap
Set Point
System Mode
Control Scheme
Pump Override
Relief Override
PID Setpoint
PID Gain
PID Reset
PID Rate
PID DB
PID CT
Output
Pump State
Relief State
Pressure
pump
relief
RTU
pipeline
Snort
•Detect Attacks
•Command Injection
•Measurement Injection
•Reconnaissance
•Denial of Service
Cybersecurity Testing and Risk Assessment
for Industrial Control Systems
RTDS
MU4000
PC
Histor
-ian
S
u
b
s
t
a
t
i
o
n
PMU
R
o
u
t
e
r
A
B
PDC
A
B
C
Bus
Cybersecurity Testing and Risk
Assessment for Industrial Control Systems
Denial of
Service
Device
Security
Assessment
Confidentiality,
Integrity
Known attacks
Security
features
Password
confidentiality
High volume
traffic
Standards
conformance
Password
storage
Port scan
Protocol
mutation
Vulnerability
scan
Man-in-themiddle
•Many vulnerabilities identified and
communicated to vendor and project partner.
•All addressed
•Firmware fixes
•New security features
•System architecture changes
CIPC Lab Growth



Continue to add systems
Currently designing SCADA
lab upgrades to increase
diversity and complexity.
Needs
 RTDS Expansion
 Achilles Satellite Security
Analyzer
Center for
Computer
Security Research
Cyber Security
Education
Scholarship
Programs
Information and Computing Security
National Forensics
Training Center
Computer Crime and Forensics
Network Security and Cryptography
NSF Scholarship for
Service
Industrial Control System Security
Advanced Network Security
Advanced Digital Forensics
Critical Infrastructure
Protection Center
Trustworthy Computing
DOD Information
Assurance Scholarship
Internet Security Protocols
National Center of Academic Excellence in Information Assurance Education
National Center of Academic Excellence in Research
Research Partners
Critical Infrastructure Protection Center
Identify vulnerabilities,
implement attacks, investigate
impact on physical systems.
Develop security solutions;
system protection, intrusion
detection, attack resilience
Train engineers and scientists
for control systems security
careers.
Cyber
Security
Industrial
Control
Systems
Tommy Morris
Asst. Prof.
Director, CIPC
Industrial Control
System Security
Ray Vaughn
V.P. Research
Giles Distinguished Professor
Software Engineering and
Computer Security
Dave Dampier
Professor
Director, CCSR
Computer
Forensics
Malingham Ramkumar
Assoc. Prof.
Trustworthy Computing
Yogi Dandass
Assoc. Prof.
Root Kit, Hypervisor Detection
Wesley McGrew
Research Associate
Human Machine Interface
Security, Software Vulnerability
and Exploitation
Robert Gosselin
BS EE
Quintin Grice
MS ECE
Uttam Adhikari
PHD ECE
Jeff Hsu
BS EE
David Mudd
MS ECE
Wei Gao
PHD ECE
Read Sprabery
BS CPE
Shengyi Pan
PHD ECE
Lalita Neti
MS ECE
Joseph Johnson
BS EE