Incorporating Model-based Intrusion Detection Into a Secure Topology for Electric Power System SCADA Networks John W. Copeland Columbus State University Columbus, Georgia copeland_john@csu.edu Abstract— This paper describes a secure topology for electric power system SCADA (Supervisory Control and Data Acquisition) networks that includes a variation of the modelbased intrusion detection system described in [1]. Electric power system SCADA systems have evolved over the past 50 years from independent systems with no interconnectivity with other systems to networked systems using common protocols such as IP [2]. The “security through obscurity” upon which the early independent systems relied no longer exists, and significant vulnerabilities now reside in this critical infrastructure. These risks associated with these vulnerabilities are exacerbated by several current socio-economic conditions and the widespread availability of technology used in current SCADA systems. Consequences of a successful attack on a SCADA network could easily exceed those of the northeast blackout of 2003. This incident affected an approximately 50 million people, cost approximately $4 billion – $6 billion, and contributed to eleven fatalities [3,4]. In the Energy Policy Act of 2005, an Electric Reliability Organization (ERO) was created to develop and enforce compliance with reliability standards. NERC (North American Reliability Corporation) was designated as the Electric Reliability Organization. It has developed cyber security standards for the Bulk Power System and has the authority to enforce these standards, including the ability to fine those not in compliance up to $1 million per day. Secure SCADA systems are, therefore, required for public health and safety and are mandated by law. I. data for maintenance, load control, and billing purposes and also provide remote access to the IED’s (Intelligent Electronic Devices) installed on the system for protection, equipment monitoring, and metering. These systems are based upon more standard and well-known technologies, including Windows operating systems, Ethernet, SONET, frame relay, and FIDDI networks, and TCP/IP-based protocols and are subject to a wide variety of vulnerabilities associated with these technologies. In addition, software tools (e.g., protocol test sets for SCADA protocols that have been adapted for use with TCP/IP) are readily available making the exploitation of these vulnerabilities especially easy. Moreover, several socio-economic conditions have been identified that add to the current risks to electric power system SCADA systems, including the increased threat of domestic and international terrorism, industry deregulation resulting in instability in the industry’s job market causing disgruntled employees and ex-employees, the growing number of computer literate people, and widely available hacker tools [5]. Possible consequences vulnerabilities include: exploitation of present Access to corporate applications from the SCADA network to obtain credit and personal information. Accessing power system information to be used by an unscrupulous competitor for unfair advantage. Control of system devices leading to immediate equipment damage and/or local or widespread power system outages lasting up to several days. Changing the settings of protective and control devices or planting malicious code leading to delayed equipment damage, DoS attacks, and local or widespread power system outages lasting up to several days. Perturbing binary and analog data reported to real-time control centers leading to incorrect actions by system operators. Reconnaissance of protective and control device settings that could be used in a later attack. INTRODUCTION Early electric power system SCADA systems were characterized by specialized hardware using proprietary communication protocols to communicate with dedicated mainframe computers using radio, modem, or direct serial links. They provided two fundamental services: (1) collection and display of real time binary and analog data describing the current state of the system, and (2) the ability to remotely control system devices such as switches and circuit breakers. These systems, although not entirely secure, were protected to a large degree by the relative obscurity of the technology used. While some of this legacy technology remains in place today, modern systems currently being developed and installed, in addition to providing real-time data collection and remote device control, are collecting large quantities of non-real-time to DoS attacks that disable critical monitoring and control functions. originate. The identification of this inconsistency could allow the detection of the MiM attack described. Three proposals are presented below to mitigate these risks. The inclusion of a model-based intrusion detection system in the SCADA network. This IDS is presented in [1] and described in Section III. Some enhancements to the IDS are suggested. Encryption of data packets transmitted over the SCADA network, described in Section IV. A network topology that includes the model-based IDS and data encryption and that provides inherent security, described in Section V. II. RTU RTU Application Server Data Historian Server FEP RTU RELATED WORK ICCP Server In [6], the authors present three adaptations of traditional information technology intrusion detection methods that make them more effective in SCADA applications. First, the authors suggest a deep packet inspection of network traffic combined with SCADA protocol-specific intrusion detection signatures to detect malicious buffer overflow exploits. Traditional IT intrusion detection detects malformed packets, but correctly formed packets can contain data length headers that exceed the static buffer lengths in SCADA system devices that would not be detected by the traditional systems. Development of signatures containing acceptable data length headers for the SCADA system devices combined with the suggested deep packet inspection would allow the detection of buffer overflow exploitation attempts. Secondly, the authors, leveraging the fact that SCADA networks tend to be static, both in terms of network topology and the tasks performed on the network, describe an intrusion detection method based on network traffic flow analysis. Because of this characteristic of SCADA networks, it is possible to map out all network traffic flows and detect flows that do not match the normal traffic. For example, in Figure 1, legitimate traffic may flow between the front-end-processor (FEP) and a remote terminal unit (RTU), but not between the data historian server and RTU. Finally, the authors point out that the signature analysis and network traffic analysis intrusion detection methods are ineffective against man-in-the-middle attacks. They suggest that examining network data inconsistencies could be an effective method of detecting this type of intrusion. For example, in Figure 1, data typically flows from the RTU to the FEP, from the FEP to the application server, and from the application server to the data historian and ICCP server. Control commands travel from the application server to the FEP and then on to the RTU. A MiM attack occurring between the FEP and RTU would allow the attacker to initiate a control operation to a SCADA device and then report an incorrect status (indicating that the control operation had not occurred) to the to the application server through the FEP. This would result, however, in an inconsistency in the per-network database in that a control operation was sent from the FEP but not from the application server where control commands must Figure 2 (adapted from [6]) III. MODEL-BASED INTRUSION DETECTION Despite the threat of unauthorized writing to system and protection devices that can cause severe consequences, only about one-quarter[5] of electric power utilities are presently using intrusion detection systems. The proposal presented in this section is to implement a modified version of the modelbased intrusion detection system presented in [1]. Model-based intrusion detection is a scheme in which violations of a model that characterizes the expected or acceptable behavior of a system are detected. The primary advantage of these model-based solutions is that, unlike signature-based schemes, they have potential to protect against zero day attacks. The SCADA protocol that was selected in [1] is Modbus TCP. The original Modbus protocol was designed for serial asynchronous communication. It defines two types of messages: a request issued from the client and a response to the client from the server. Both of these messages are made up of two parts: a function code and the function data for a request and a function code and response data for the response. These two parts make up the PDU (Protocol Data Unit). In Modbus TCP, a 7-byte header is added to the PDU to form an ADU (Application Data Unit) [7]. In developing the model-based IDS presented in [1], the authors used various characteristics of the Modbus protocol to develop a rule-set for acceptable Modbus requests and responses. For example, the function codes in Modbus ADU’s are restricted to, at most, the values 1-127. Function codes outside this range could indicate an intrusion attempt. The length field in the ADU is another example of a constraint placed on Modbus requests and responses. The length field in the ADU indicates the number of bytes included in the following fields. Since the maximum number bytes in the PDU is 253, and the unit field following the length field is always 1 byte, then the length field must be between 1 and 254. A complete set of Modbus IDS rules has been developed by Digital Bond (http://www.digitalbond.com/) and was implemented by the authors in Snort (an open source signaturebased IDS). Status changes and control operations occur more frequently during inclement weather. System load, reported by SCADA analog values, varies according to a very predictable time-of-day model. Communication-based patterns were also used to model acceptable behavior of the network. This approach is feasible because there is typically a small set of applications that are running on the SCADA network as compared with general TCP/IP networks. Acceptable communication paths were defined using Snort rules and incorporated into the model. Protection and control device configuration changes are infrequent and normally occur during regular business hours. Finally, the authors used detection of changes in server and service availability to detect possible intrusions. Two detectors were used: the EMERALD Bayes sensor and EModbus. The EMERALD Bayes sensor learns the active services on the network and rapidly detects when the service is down. A misuse detector in the sensor is configured to be probabilistically less suspicious of services that appear to be down due to failure of the client and more suspicious and more likely to indicate a possible intrusion for sessions accessing services which are not known to be valid. EModbus discovers supported Modbus function codes, which vary by device, on Modbus devices deployed on the network. Discovery of new function codes on the network after an appropriate discovery interval may indicate an unauthorized reconfiguration of a Modbus device. An intrusion detection appliance for Modbus TCP networks was developed and tested by the authors. It included the EMERALD intrusion detection framework, eXpert-Net (a stateful protocol analyzer), and Snort with sensors specific to Modbus TCP based on the rules developed by Digital Bond, the Modbus protocol rules, communication pattern rules, and EModbus described above. This appliance was tested on a tested with positive results. Several changes that could improve both the usability and reliability of the model-based IDS are suggested below. Modbus is a simple protocol with limited capabilities whose primary design criteria was low bandwidth requirements. In a 2005 survey, none of the 99 participants reported the use of Modbus TCP, either within substations or between substations and control centers, while nearly onequarter reported using DNP3 LAN (DNP3 embedded in TCP/IP), and most were planning to migrate to DNP3 LAN in the future [8]. While the simplicity of Modbus is helpful in proof-of-concept development, a more practical and useful choice of protocol would be DNP3 LAN, which is becoming the de facto industry standard in North America. While a more complex protocol, the principles developed in [1] could be applied to DNP3 LAN to yield better results. DNP3 IDS rules have also been developed by Digital Bond. Typical power system operation results in predictable communication patterns: Status changes and control operations of power system devices (switches, circuit breakers) occur more frequently during regular business hours when maintenance and construction activities are normally performed. These predictable patterns could be incorporated into DNP3 LAN IDS rules and/or the model of communication patterns developed in [1]. Significant perturbations from expected activity indicated in these regular patterns could indicate an intrusion. Finally, since SCADA networks can be extremely large, incorporating thousands of remote terminals with hundreds of data points associated with each remote terminal, distributing the model-based IDS functions could make this solution more scalable. The Snort application with associated DNP3 LAN rules could be installed on remote devices. IV. ENCRYPTION Surprisingly, while 43% of a 2005 survey respondents report using public leased-line communications, only 6 of 95 respondents reported using encryption for SCADA data transmission [8]. This seems to allow significant and disturbing potential for eavesdropping and man-in-the-middle and spoofing attacks. These attacks are made easier by the commonly available protocol test sets used for SCADA systems maintenance and testing. Therefore, in addition to an IDS, SCADA systems should utilize encryption for confidentiality, message and data integrity, and authentication. In [9], the author suggests three categories of solutions to securing SCADA communications. Solutions that wrap SCADA protocols with existing security protocols (SSL/TLS, IPSec) without changing the SCADA protocol itself. Solutions that alter the SCADA protocol. Applying selective cryptography. Applying selective cryptography was selected as the best option, and an extensive investigation of this option is presented in [9] using DNP3 protocol. In this study, authentication is provided by the addition of Authentication Octets to each request to a SCADA device. The Authentication Octets contain a hash digest that is encrypted with the SCADA master’s private key, but, to save processing time, the remainder of the message is not encrypted. The receiver of the message decrypts the hash digest using the sender’s public key and compares it to its independently calculated hash digest. This method protects against replay, spoofing, and modification attacks, but, since the message is not encrypted, not against eavesdropping. A second security enhancement is also suggested: authentication via challenge-response. This feature operates as follows. The authenticator sends a random challenge to the other party. The other party responds with a hash digest of the challenge plus a secret. The authenticator checks the response against its own calculation of the hash digest. The firewall and routers at each remote sight provide isolation between devices on different LAN’s and also the traffic across the WAN. Remote patching of devices could also be accomplished via the SCADA network. A WSUS (Windows Server Update Services) is shown in Figure 2 for the case of patching Windows-based devices. This enhancement protects against man-in-the-middle attacks. VI. External Network AV Server WSUS Server Corporate Network Two-factor Authentication DMZ Network Encryption IDS Remote Access User SCADA Master Remote Access Management and Monitoring Remote LAN Data Concentrator (SCADA Slave) Host-based IDS AV Protection Encryption CONCLUSION The electric power system is a key part of the nation’s critical infrastructure, and SCADA systems play a central role in their operation and protection. These systems have evolved from independent systems with little connectivity to networked systems based on well-known protocols, operating systems, and hardware, and this evolution has introduced significant security vulnerabilities. This paper outlines a layered “defense in depth” SCADA network topology that includes encryption, anti-virus protection, firewalls, strong authentication, and intrusion detection. The intrusion detection system proposed was adapted from the system described in [1]. The DNP3 Technical Committee has considered the addition of a Message Authentication Object (MAO) to the DNP3 protocol [9]. This object would contain the results of a hash function performed on the concatenation of the message and a secret. Due the widespread use of DNP3 protocol in North America, research into the practical application of this potential enhancement could yield valuable security enhancements to SCADA networks in the future. REFERENCES Remote LAN [1] Figure 2 [2] [3] V. SCADA NETWORK TOPOLOGY Figure 2 shows a network topology that incorporates the model-based IDS presented in [1] with the changes suggested in this paper. Along with the IDS, additional security features not typically found in existing SCADA networks are added. Modern SCADA networks, in addition to the usual data collection and control functions, can provide remote access to devices on the SCADA networks. In Figure 2, this remote access is supervised by two-factor authentication and managed by a server which logs user sessions. The model-based IDS could also monitor this access when configured with an appropriate rule set. Two remote LAN’s are shown in Figure 2. However, since there is typically one LAN per electric substation, there could be hundreds ore even thousands of LAN’s in a large control area. On each LAN is a data concentrator. This device collects data from all local IED’s and provides a single slave for the SCADA master to poll. This device could also provide encryption services and anti-virus protection, and could host the local IDS. [4] [5] [6] [7] [8] [9] Chung, S., Dutertre, B, Fong, M, Lindqvist, U, Skinner, Keith, “Using model-based intrusion detection for SCADA networks”, <http://www.csl.sri.com/papers/scadaIDS07/SCADA-IDS-S4-2007.pdf> “SCADA.” Wikipedia, The Free Encyclopedia. 6 November 18:34 UTC. <http://en.wikipedia.org/wiki/SCADA> “Northeast Blackout of 2003.” Wikipedia, The Free Encyclopedia. 8 November 13:16 UTC <http://en.wikipedia.org/wiki/2003_North_America_blackout> “Probe to Shed Light on Blackout.”, CBS/AP. <http://www.cbsnews.com/stories/2003/08/14/national/main568409.sht ml> Oman, P., Schweitzer, E., Roberts, J., “Safeguarding IEDS, Substations, and SCADA Systems Against Electronic Intrusion.” <http://www.selinc.com/techpprs/6118.pdf> Verba, J. and Milvich, M., “Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System (SCADA IDS), 2008 IEEE Conference on Technologies for Homeland Security, pp. 469-473, May 2008. “Understanding Modbus Protocol”, http://jamod.sourceforge.net/kbase/protocol.html “The World Market for Substation Integration and Automation Programs in Electric Utilities: 2005 – 2007”, Newton-Evans Research Company, Inc., <http://www.trianglemicroworks.com/documents/DNP_UG_Report_Su mmary_from_Substation_A&I_Study.pdf> Patel, S., “Secure Internet-based communication protocol for SCADA networks”, DAI-B 67/08, Feb 2007, http://proquest.umi.com/pqdlink?did=1208148131&Fmt=7&clientI d=79356&RQT=309&VName=PQD