Electronic Security Perimeter
Is this system air-gapped?
No.
But…
•it’s fiber optic.
•we own the network.
•we own the wireless network.
Electronic Security Perimeter
Is this system air gapped?
No.
What is this?
•Leased line from phone company?
•Does the utility sell BW to 3rd parties?
Common configuration
Control Room
Outstation
DMZ
WWW
Enterprise Network
Can malware infect the control
room or outstation? Yes
Control Room
Outstation
DMZ
WWW
Enterprise Network
Can malware infect the control
room or outstation? Yes
Control Room
Outstation
DMZ
WWW
Enterprise Network
What about serial? RS-232/485
Stuxnet
Take aways
Industrial control system networks are
not commonly air gapped, though the
control system engineers may think it is.
 Industrial control systems can be
infected by malware.
 Electronic security perimeter alone is
insufficient.
 Need a defense in depth approach.

Network Intrusion Detection for
Industrial Control Systems

Physical
 Wireless IDS
 Not much at this level

Physical
Network, Transport
 Detect well known attacks
Data Link
○ Tear drop, LAND, port scanning, Ping
 Common protocol rules
○ TCP, IP, UDP, ICMP

Network
Application Layer
 Detect protocol mutations
 Detect protocol specific DOS attacks
 Model Based IDS to detect system level attacks
○ measurement injection
○ command injection
○ system state steering
Transport
Application
Short
circuit
CT
CT
Relay
Relay
Router
Relay tripped
MSU
Tommy Morris
Transmission Line
Network
Causal Network Graphs for
Intrusion Detection

Map power system scenarios to a graph
with
 Nodes representing a set of time ordered
measureable events
 Multiple existing sources of data
 Unique path through graph for each
scenario

Classify events real time
Causal Network Graphs for Intrusion
Detection – Case Study

Power system events
 Over current fault – high current -> open breaker
 Remote trip – operator remotely opens breaker
for maintenance
 Local trip at face plate – technician trips relay at
the face plate

Cyber Events - threats
 command injection attack to remotely trip the
relay
 man-in-the-middle (MITM) attack on
synchrophasor system (I=0)
 man-in-the-middle (MITM) attack on
synchrophasor system (I>Itrip)
Measureable Events

Relay
 breaker status

Energy Management System (EMS)
 Command from EMS to remote trip

Synchrophasor system measurements
 current measurements (60 samples per
second)

Snort network signatures
 detect network message to trip the relay
Bayesian Network Graph ->
Causal Event Graph
PMU@T1
Snort
EMS
Relay
PMU@T2
IH, Sn,
RT
IN, Sn, RT
Breaker
open
IH
IH, Sn,
RT
Breaker
closed
IN
IH, Sn, RT
fault
I0
command
injection
remote
trip
MITM
IPMU>ITrip
Causal Event Graph Signatures
IH, Sn,
RT
IN, Sn, RT
IN, Sn, RT
I0, Sn, RT
IH, Sn, RT
IN, Sn, RT
Breaker
open
Breaker
open
Breaker
open
Breaker
closed
Breaker
closed
Breaker
open
I0
I0
I0
I0
IH
I0
1) Fault
2)
Command
Injection
3)
Scheduled
Trip
4) MITM
5) MITM 6) Local Trip
Attack I=0 Attack I>ITrip
Hand mapped the signatures to a custom intrusion detection
program.
time
Laboratory Validation – proof of
concept
B1
B2
BR2
BR1
L1
G1
R1
R2
L
•RTDS Simulation
•Implemented each scenario
•Data loggers to capture measurements
•Offline intrusion detection program
•Successful classification of all scenarios
Snort
Relay logs
EMS logs
Attack
Detection
Program
Synchrophasor
Measurements
Future Work Causal Event Graphs

Scale to more realistic systems
 Breaker and half
 Relay coordination
 Expanded relaying scheme support
Real time IDS
 Move from Boolean to probabilistic IDS
 Automate graph to IDS signatures
 Measure accuracy and computational
cost

PMU
PMU
PDC
PMU
EMS
PMU
PDC
Historian
PDC
Eng’g
Analysis
Transmission Line
Network
PMU
*not shown (the 3 circuits above are part of an
Syncrophasor System Equipment

Phasor Measurement Unit (PMU)
 Synchronized phasor measurements
 1uS synchronization, IEEE 1588, GPS
 3-phase voltage phasors, current phasor

Phasor Data Concentrator (PDC)
 Concentrate PMU streams
 Detect missing data
 Interpolate for missing data

IEEE C37.118 -> IEC 61850 90-5
Snort Rules for Synchrophasor
Systems

Synchrophasor systems being installed across
country by utilities with ARRA grants
 Improved electric grid visibility
○ Detect disturbances sooner
 Wide area protection
○ React to disturbances quickly to limit outage
 IEEE C37.118 - Synchrophasor Network

Protocol
Need to develop Snort rules to
 Protect against IEEE C37.118 protocol mutation
type attacks
 Detect reconnaissance, DOS, command
injection, and measurement injection attacks
Snort Rules for Synchrophasor
Systems – Protocol Mutation
2
Frame Type
Check
Stand-alone
SYNC[0]{6:4} != (0, 1, 2, 3, 4)
Simple check – is this a legal frame?
10
ConfigFrame: (FORMAT[0]{1} == 0 &&
FORMAT[0]{0} == 1) && DataFrame:
(PHASORS[0:1] (Polar angle) > 31,416) ||
(PHASORS[0:1] (Polar angle) < -31,416)
Does the polar range in the data frame match the
description in the configuration frame?
11
Polar Range Multipacket
Data Frame
size check
Multipacket
EXPECTED FRAMESIZE != ACTUAL
FRAMESIZE
Does the frame size match the frame size calculated from examing the
configuration frame?
Retrofit SNORT Intrusion Detection for
Industrial Control Systems
control logic
MTU
tap
Set Point
System Mode
Control Scheme
Pump Override
Relief Override
PID Setpoint
PID Gain
PID Reset
PID Rate
PID DB
PID CT
Output
Pump State
Relief State
Pressure
pump
relief
RTU
pipeline
Snort
•Detect Attacks
•Command Injection
•Measurement Injection
•Reconnaissance
•Denial of Service
Snort Protocol Rules for MODBUS


Reviewed specification and developed a
fuzzing framework.
Using fuzzing framework to guide rule
development.
○ Rules for specific frame types
○ Function codes in frames define payload contents
○ Rules based upon relationships between frames
 query and response must match
○ Response special cases – exception frames
 match defined exceptions to query function code and
error types
Cybersecurity Testing and Risk
Assessment for Industrial Control Systems
Denial of
Service
Device
Security
Assessment
Confidentiality,
Integrity
Known attacks
Security
features
Password
confidentiality
High volume
traffic
Standards
conformance
Password
storage
Port scan
Protocol
mutation
Vulnerability
scan
Man-in-themiddle
•Many vulnerabilities identified and
communicated to vendor and project partner.
•All addressed
•Firmware fixes
•New security features
•System architecture changes
Critical Infrastructure Protection Center
Identify vulnerabilities,
implement attacks, investigate
impact on physical systems.
Develop security solutions;
system protection, intrusion
detection, attack resilience
Train engineers and scientists
for control systems security
careers.
Cyber
Security
Industrial
Control
Systems
Tommy Morris
Asst. Prof.
Director, CIPC
Industrial Control
System Security
Uttam Adhikari
PHD ECE
Power System
Cybersecurity
Quintin Grice
MS ECE
Relay Settings
Automation
Drew Richey
MS ECE
Ladder logic to
Snort Rules
David Mudd
MS ECE
SCADA Virtual
Test Bed
Read Sprabery
BS CPE
Power System
Cybersecurity
Wei Gao
PHD ECE
SCADA Intrusion
Detection
Shengyi Pan
PHD ECE
Power System
Cybersecurity
Lalita Neti
MS ECE
Relay Settings
Automation
Joseph Johnson
BS EE
Control Systems