A Critical Infrastructure Testbed for
Cybersecurity Research and Education
Ai Onda, Kalana Pothuvila, Joseph Urban, and Jordan Berg
Abstract
Awareness for cybersecurity in critical infrastructure is imperative
because critical infrastructures are vital to our economy and public safety.
Supervisory Control and Data Acquisition (SCADA) systems are
networks of computers that monitor and control industrial machines and
processes, prevalent in critical infrastructures. Unfortunately, SCADA
systems are vulnerable to cybersecurity threats, giving an opening to
attacks. Testbeds provide a safe environment to observe how attacks occur
and their possible effects on a real system.
In this project, a simple and reconfigurable testbed was created and
attacked for the purpose of research and education in this area of vital
National importance. The initial focus of the testbed attacks were on
industrial control system attacks, thus, under this approach, the attacker
has already breached the Information and Communications Technology
(ICT) security measures and is preparing to compromise the industrial
control network. The testbed includes three modules: the Local Area
Network (LAN), a serial Modbus/RTU Programmable Logic Controller
(PLC) network, and a Modbus/TCP to Modbus/RTU translation gateway.
We attacked the sensors and motors by ping flooding. The sensors and
motors timed out, causing the Human Machine Interface (HMI) to lose
connection with them.
Texas Tech University 2013
National Science Foundation
Research Experiences for
Undergraduates Site Project
Methods
Modbus Family of Protocols
•
•
Modbus: Simple master and slave relationship; Master sends packet containing function code and data to slave, slave responds with packet
containing same function code and different data
Modbus/RTU PLC network
•
Created communication between two slave PLCs and master PLC using
built in Modbus/RTU protocol, uploading ladder logic program on the
master PLC
•
Created communication between master micrcontroller and slave
microcontroller using Modbus/RTU library for Arduino, “simple-modbus”
[6]
Variations of Modbus: Serial Modbus (Modbus/RTU and Modbus/ASCII) and Modbus/TCP
Modbus/RTU Packet Structure [4]
Start
Slave ID
(1 byte)
Function
Code
(1byte)
Data
(varies)
CRC
Checksum
(2 bytes)
End
•
Modbus/TCP Packet Structure [5]
IP
Gateway
TCP
Transaction
ID
(2 bytes)
Protocol Length Slave ID Function Data
ID
(2 bytes) (1 byte)
Code
(varies)
(2 bytes)
(1 byte)
Determining how to physically connect PLC to gateway microcontroller
Attack
•
Performed ping flood on motor and sensor with “sudo ping –f [IP Address]”
•
Creating packet flooder with Java that generates different types of packets
including ICMP, UDP, and SYN
Testbed System
Summary
Results
The testbed and related attack methods will be used by educational
institutions for lab courses concerning cybersecurity in critical
infrastructures, increasing critical infrastructure awareness and security
skills in future generations of cybersecurity professionals.
• PLC network completed
• Disrupted service through ping flooding motor and sensor
• Incoming and outgoing channels congested with ICMP Echo packets from
the client and ICMP Echo Reply packets from the server
• HMI cannot connect with motor and sensor during attack
Introduction
• HMI connects with motor and sensor after stopping attack
• Critical infrastructure is vital to our economy and public safety
Future Work
• Supervisory Control and Data Acquisition (SCADA) systems
• Complete gateway that translates Modbus/TCP to Modbus/RTU
• Are networks of computers that monitor and control industrial
machines and processes
• Complete packet flooder to observe effects of different packet types on
testbed
• Are vulnerable
• Implement methods other than Denial of Service attacks, including attacks
to achieve pre-determined results
• Vulnerabilities include insecure protocols, lack of program updates, and
access from the Internet [1, 2]
• Increase in critical infrastructure espionage and sabotage attacks
• “Repository of Industrial Security Incidents (RISI), which records
cyber security incidents directly affecting SCADA and process control
systems, shows the number of incidents increasing by approximately
20% a year over the last decade” [3]
• Testbeds provide insight into the causes and effects of attacks on a
system, and as a result, enhance awareness of the current state of
industrial control systems security
Objectives
• Create a simulation testbed that
“ArduinoUnoFront.jpg,” Arduino, [Online]. Available: http://arduino.cc/en/Main/arduinoBoardUno [Accessed: July 2013].
“C000drd_small.jpg,” PLC Direct Benelux, [Online]. Available: http://www.plcdirect.eu/EN/script/P_products-detail.asp?ID=5344 [Accessed: July 2013].
Ping
Motor
Sensor
References
[1] Huitsing, P., Chandia, R., Papa, M., and Shenoi, S., “Attack taxonomies for
the Modbus protocols,” International Journal of Critical Infrastructure
Protection, vol. 1, pp. 37-44, Dec. 2008.
[2] Fovino, I., Carcano. A, Masera, M., and Trombetta, A., “An experimental
investigation of malware attacks on SCADA systems,” International Journal of
Critical Infrastructure Protection, vol. 2, no. 4, pp. 139-145, Dec. 2009.
Before ping flooding motor. All packets received by the
motor with an average round trip time of 1 ms.
Before ping flooding sensor. All packets received by
the sensor with an average round trip time of 2 ms.
• Uses different industrial vulnerabilities and protocols
• Allows for quick emulation of different attack situations
• Simulates an Internet connected SCADA system
• Design attacks for the testbed by reviewing and analyzing existing
attack techniques
• Incrementally increase difficulty of attacks and place firewall in testbed to
prevent ping flood
After ping flooding motor. “Request timed out.” All
packets lost.
After ping flooding sensor. “Request timed out.” All
packets lost.
DISCLAIMER: This material is based on work supported by the National Science Foundation and the Department of Defense under grant No. CNS-1263183. Any opinions,
findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation or the Department of
Defense.
[3] Staggs, K., and Byres, E., “Cyber wars,” Hydrocarbon Eng., Oct, 2010.
[4] MODICON, Inc., “Modicon Modbus Protocol Reference Guide,”
The Modbus Organization, June, 1996, [Online]. Available:
http://modbus.org/docs/PI_MBUS_300.pdf [Accessed: July 2013].
[5] “Modbus TCP/IP,” Simply Modbus, [Online]. Available:
http://www.simplymodbus.ca/TCP.htm [Accessed: July 2013].
[6] Bester, J., “simple-modbus,” Google Code, [Online]. Available:
https://code.google.com/p/simple-modbus/ [Accessed: July 2013].