Cyber Security Considerations for Electric Power Systems Tommy Morris Director, Critical Infrastructure Protection Center Assistant Professor Electrical and Computer Engineering Mississippi State University morris@ece.msstate.edu (662)325-3199 Electronic Security Perimeter Is this system air-gapped? No. But… •it’s fiber optic. •we own the network. •we own the wireless network. Electronic Security Perimeter Is this system air gapped? No. What is this? •Leased line from phone company? •Does the utility sell BW to 3rd parties? Common configuration Control Room Outstation DMZ WWW Enterprise Network Can malware infect the control room or outstation? Yes Control Room Outstation DMZ WWW Enterprise Network Can malware infect the control room or outstation? Yes Control Room Outstation DMZ WWW Enterprise Network What about serial? RS-232/485 Stuxnet Take aways Industrial control system networks are not commonly air gapped.. Industrial control systems can be infected by malware. An electronic security perimeter alone is insufficient protection. Need a defense in depth approach. Risk Assessment Should consider likelihood of attack cost of attack impact of attack Compared to cost of prevention likelihood of prevention Interruption (Denial of Service) An asset of the system is destroyed of MSU becomes unavailable or unusable Attack on availability Destruction of hardware Cutting of a communication line Disabling the file management system May not be physical destruction. May be temporary. ECE 8990 Smart Grid DOS Prevention Monitor and react Monitor network traffic for DOS attacks Close offending ports Is it OK to close a network port in an ICS network? Test devices for vulnerability ○ Protocol mutation (fuzzing) ○ Known attacks ○ Floods Share results (ethically) Force vendor to patch Interception An unauthorized party gains access to an MSU asset Attack on confidentiality Wiretapping to capture data in a network Intercepting a password -> bad Intercepting a password file -> worse Intercepting ICS data from an RTU. Is that bad? ECE 8990 Smart Grid MSU ECE 8990 Smart Grid Modification An unauthorized party not only gains access but tampers with an asset Attack on integrity Change values in a data file Alter a program to make it perform differently Modify content of messages transmitted on a network man-in-the-middle (MITM) MSU ECE 8990 Smart Grid Modification Modification in ICS -> very bad Feedback control uses ○ sensors to monitor physical process ○ Controllers to control the physical process. Modifying measured output, measured error, system input, or reference affects system output. MSU ECE 8990 Smart Grid Modification Need to defend the sensor. Need to defend the device which measures error. Need to defend the controller. Need to defend the communication network. MSU ECE 8990 Smart Grid MSU ECE 8990 Smart Grid Fabrication Unauthorized party inserts counterfeit objects MSU into the system Attack on authenticity Insertion of spurious messages in a network Addition of records to a file ICS – insertion of spurious/unwanted/unauthorized control ICS – adding data to a historian ECE 8990 Smart Grid MSU ECE 8990 Smart Grid ICS Example reference GPS Clock Network Phasor Phasor Measurement Phasor Measurement Unit (PMU) Measurement Unit (PMU) Unit (PMU) Sensor, reference Network Network Phasor Data Concentrator (PDC) Network Appliance MSU Energy Management System Error measurement, Controller ECE 8990 Smart Grid Network Intrusion Detection for Industrial Control Systems Physical Wireless IDS Not much at this level Physical Network, Transport Detect well known attacks Data Link ○ Tear drop, LAND, port scanning, Ping Common protocol rules Network ○ TCP, IP, UDP, ICMP Application Layer Detect protocol mutations Detect protocol specific DOS attacks Model Based IDS to detect system level attacks ○ measurement injection ○ command injection ○ system state steering Most of our work is here. Transport Application IDS Framework for Synchrophasor Systems Synchrophasor systems being installed across country by utilities with ARRA grants Improved electric grid visibility ○ Detect disturbances sooner Wide area protection ○ React to disturbances quickly to limit outage IEEE C37.118 - Synchrophasor Network Protocol Need to develop Snort rules to Protect against IEEE C37.118 protocol mutation type attacks Detect reconnaissance, DOS, command injection, and measurement injection attacks Read Spraberry has identified approximately 36 rules and is writing and testing now. IDS framework for MODBUS Reviewed MODBUS specification and developed a fuzzing framework. Using fuzzing framework to guide rule development. ○ Rules for specific frame types ○ Function codes in frames define payload contents ○ Rules based upon relationships between frames query and response must match ○ Response special cases – exception frames match defined exceptions to query function code and error types 50 rules in development IDS Framework ICS network Snort Example Attack Wireless Link 1. Radio Discovery < 24 hrs. 2. Infiltration < 30 days 3. Data Injection or Denial of Service Attack 4. Broken Feedback Control Loop SNORT Intrusion Detection for Industrial Control Systems control logic MTU tap Set Point System Mode Control Scheme Pump Override Relief Override PID Setpoint PID Gain PID Reset PID Rate PID DB PID CT Output Pump State Relief State Pressure pump relief RTU pipeline Snort •Detect Attacks •Command Injection •Measurement Injection •Reconnaissance •Denial of Service Cybersecurity Testing and Risk Assessment for Industrial Control Systems RTDS MU4000 PC Histor -ian S u b s t a t i o n PMU R o u t e r A B PDC A B C Bus Cybersecurity Testing and Risk Assessment for Industrial Control Systems Denial of Service Device Security Assessment Confidentiality, Integrity Known attacks Security features Password confidentiality High volume traffic Standards conformance Password storage Port scan Protocol mutation Vulnerability scan Man-in-themiddle •Many vulnerabilities identified and communicated to vendor and project partner. •All addressed •Firmware fixes •New security features •System architecture changes CIPC Lab Growth Continue to add systems Currently designing SCADA lab upgrades to increase diversity and complexity. Needs RTDS Expansion Achilles Satellite Security Analyzer Center for Computer Security Research Cyber Security Education Scholarship Programs Information and Computing Security National Forensics Training Center Computer Crime and Forensics Network Security and Cryptography NSF Scholarship for Service Industrial Control System Security Advanced Network Security Advanced Digital Forensics Critical Infrastructure Protection Center Trustworthy Computing DOD Information Assurance Scholarship Internet Security Protocols National Center of Academic Excellence in Information Assurance Education National Center of Academic Excellence in Research Research Partners Critical Infrastructure Protection Center Identify vulnerabilities, implement attacks, investigate impact on physical systems. Develop security solutions; system protection, intrusion detection, attack resilience Train engineers and scientists for control systems security careers. Cyber Security Industrial Control Systems Tommy Morris Asst. Prof. Director, CIPC Industrial Control System Security Ray Vaughn V.P. Research Giles Distinguished Professor Software Engineering and Computer Security Dave Dampier Professor Director, CCSR Computer Forensics Malingham Ramkumar Assoc. Prof. Trustworthy Computing Yogi Dandass Assoc. Prof. Root Kit, Hypervisor Detection Wesley McGrew Research Associate Human Machine Interface Security, Software Vulnerability and Exploitation Robert Gosselin BS EE Quintin Grice MS ECE Uttam Adhikari PHD ECE Jeff Hsu BS EE David Mudd MS ECE Wei Gao PHD ECE Read Sprabery BS CPE Shengyi Pan PHD ECE Lalita Neti MS ECE Joseph Johnson BS EE