Figure 1 - uploaded by Thomas Morris
Content may be subject to copyright.
Electric Transmission SCADA Control System The communication link in SCADA systems consists of two parts: the communication medium and communication protocols. Communication mediums generally include wireless or wired networks. Wired networks may use leased line, Ethernet, serial cable, and fiber optic cable. Wireless networks may use standardized communication systems such as IEEE 802.11, ZigBee, and WirelessHART. Wireless links may also use proprietary implementations. Finally, wireless links may include long distance solutions such as satellite and microwave. There are many standards for SCADA communication including Fieldbus, EtherIP, Profibus, MODBUS and Distributed Network Protocol version 3 (DNP3). One common security flaw with all of these communication protocols is that they do not include cryptographic authentication, which means, RTU and MTU cannot validate the origin of commands and responses respectively.
Source publication
SCADA systems are widely used in electricity generation, distribution, and transmission control systems. NERC CIP 002-009 requires bulk electric providers to secure critical cyber assets electronically and physically. Transmission and distribution substations contain cyber critical assets including remote terminal units (RTU), intelligent electroni...
Contexts in source publication
Context 1
... SYSTEM OVERVIEW SCADA control systems are distributed cyber-physical systems. Figure 1 shows an example of an electric transmission SCADA control system. Intelligent Electronic Devices (IED) are connected to sensors and actuators to interface directly with the electric transmission system. ...
Context 2
... an attacker may penetrate the SCADA the communication link connecting the MTU and IED. In [3], Reaves and Morris discuss how to discover and connect to a proprietary SCADA radio used to form the MTU to IED communication link (such as that diagramed in Figure 1) and then inject false responses and denial of service attacks into the network traffic. Finally, an attack may originate from an insider with physical or electronic access to the SCADA system. ...
Context 3
... control system data loggers should monitor and log all communications traffic to and from the MTU and IED. Figure 1 shows a SCADA control system with added data logger retrofits. This placement of data loggers will capture all network traffic associated with the attacks mentioned in section Error! ...
Context 4
... source not found.. Response injection attacks may originate from an attacker which has penetrated the communication link between the MTU and IED. The data logger running on the HMI host in Figure 1 will capture all network traffic associated with such response injection attacks. Command injection attacks may originate from a penetration of the corporate network via the internet or from an insider. ...
Context 5
... injection attacks may also originate from an attacker which has penetrated the communication link between the MTU and IED. The data logger attached to the IED in figure 1 will capture all network traffic associated with such command injection attacks. Network traffic associated with denial of service attacks against the MTU and IED will also be logged by their respective data loggers. ...
Citations
... The simulation of the communication links between the HMI, servers, controllers, sensors, and actuator is based on industrial standards with the omission of physical connections. The communication links form a wired network (NIST, 2014), including the communication medium and protocol (Morris & Pavurapu, 2010). The medium includes both serial and ethernet-based communications. ...
Supervisory Control and Data Acquisition (SCADA) systems are widely adopted in critical infrastructures and prime targets of cyberattacks. Ecological Interface Design (EID) is postulated to be an invaluable framework for supporting operators to cope with cyber intrusions, particularly zero-day attacks because prior research has demonstrated effectiveness of ecological interfaces during unanticipated events. However, a suitable research platform is absent for studying user interface in cybersecurity of SCADA systems. This paper presents a SCADA system simulation being designed and implemented for the DURESS thermohydraulic process control simulation common in EID studies. Based on the open literature and industrial standards to ensure representativeness of industrial SCADA systems, the simulation includes two programable logical controllers, seven routers, and a server in a wired communication network. These components should be sufficient to study human response to common cyberattacks on SCADA systems and support future work in prototyping and evaluating user interfaces for SCADA cybersecurity.
... The transfer of the black box concept into settings other than aviation is not new. Data loggers for critical infrastructure such as Supervisory Command and Data Acquisition (SCADA) systems are also standard practice [5,6]. The largest deployment of black box technology outside aviation is within the automobile and road haulage industries for data logging [7,10] ...
... The transfer of the black box concept into settings other than aviation is not new. Data loggers for critical infrastructure such as Supervisory Command and Data Acquisition (SCADA) systems are also standard practice [6,7]. The largest deployment of black box technology outside aviation is within the automobile and road haulage industries for data logging [8,11] ...
This paper introduces a draft open standard for the robot equivalent of an aircraft flight data recorder, which we call an ethical black box. This is a device, or software module, capable of securely recording operational data (sensor, actuator and control decisions) for a social robot, in order to support the investigation of accidents or near-miss incidents. The open standard, presented as an annex to this paper, is offered as a first draft for discussion within the robot ethics community. Our intention is to publish further drafts following feedback, in the hope that the standard will become a useful reference for social robot designers, operators and robot accident/incident investigators.
... Kleinmann and Wool [55] point out that the use of logs, whilst potentially effective, if not properly protected could enable an attacker to manipulate them by sending false data. A retrofitted data logging solution is considered by Morris and Pavurapu [94] in the context of a mix of serial and IP communications. It proposes a physically separate bump in the wire approach to a central logging facility that captures timestamps, cryptographically signs, encrypts and stores network traffic for the purposes of analysis. ...
... Morris and Pavurapu [94] describe the primary threats to control systems in these layers to be response injection, command injection or denial of service. Gao and Morris [14] extended this set by including reconnaissance activities, whereby an attacker attempts to identify the control equipment in place and enumerate the network, and highlighted how industrial protocols are vulnerable over wireless network bearers. ...
... In an analysis of both the serial and TCP variants of the Modbus protocol, Huitsing et al [95] categorised the threats into interception, interruption, modification and fabrication; which broadly match the classifications of Morris and Pavurapu [94] and Gao and Morris [14]. The paper identified 20 viable attacks against the serial protocol and 28 against the TCP variant, which included impacts on data confidentiality, device reconnaissance, device disruption and denial, communications disruption or denial and overall process control disruption and denial. ...
Industrial control systems (ICS) are increasingly becoming the target of cyber attacks. In order to counter this threat, organisations are turning to traditional IT security mechanisms to protect their operations. However, ICS includes a range of technologies which are often unfamiliar to contemporary IT security professionals or the tools they deploy. This paper explores the applicability of these tools within an ICS and critically analyses contemporary ICS architectures. The contribution of this paper is a clear identification of the areas of ICS to which IT security mechanisms can be applied and the challenges that are faced in the others. The paper continues to explore what mechanisms may be considered in these non-traditional areas of technology
... Kleinmann and Wool [55] point out that the use of logs, whilst potentially effective, if not properly protected could enable an attacker to manipulate them by sending false data. A retrofitted data logging solution is considered by Morris and Pavurapu [94] in the context of a mix of serial and IP communications. It proposes a physically separate bump in the wire approach to a central logging facility that captures timestamps, cryptographically signs, encrypts and stores network traffic for the purposes of analysis. ...
... Morris and Pavurapu [94] describe the primary threats to control systems in these layers to be response injection, command injection or denial of service. Gao and Morris [14] extended this set by including reconnaissance activities, whereby an attacker attempts to identify the control equipment in place and enumerate the network, and highlighted how industrial protocols are vulnerable over wireless network bearers. ...
... In an analysis of both the serial and TCP variants of the Modbus protocol, Huitsing et al [95] categorised the threats into interception, interruption, modification and fabrication; which broadly match the classifications of Morris and Pavurapu [94] and Gao and Morris [14]. The paper identified 20 viable attacks against the serial protocol and 28 against the TCP variant, which included impacts on data confidentiality, device reconnaissance, device disruption and denial, communications disruption or denial and overall process control disruption and denial. ...
Industrial control systems (ICS) are increasingly becoming the target of cyber attacks. In order to counter this threat, organisations are turning to traditional IT security mechanisms to protect their operations. However, ICS includes a range of technologies which are often unfamiliar to contemporary IT security professionals or the tools they deploy. This paper explores the applicability of these tools within an ICS and critically analyses contemporary ICS architectures. The contribution of this paper is a clear identification of the areas of ICS to which IT security mechanisms can be applied and the challenges that are faced in the others. The paper continues to explore what mechanisms may be considered in these non-traditional areas of technology.
... In addition to the vulnerabilities due to the increasing dependence of their communications to the Internet, SCADA systems are facing today significant threats of cyberattacks due to the vulnerabilities of the communications protocols implemented in these networks [Fovino et al., 2009;Morris and Pavurapu, 2010]. In fact, the common protocols, namely ModBus, Profibus and DNP3, used in the communication between the different components of SCADA systems present many vulnerabilities, regarding the integrity and the authentication mechanisms [Fovino et al., 2010b]. ...
The security of critical infrastructures has been an interesting topic recently with the increasing risk of cyber-attacks and terrorist threats against these systems. The majority of these infrastructures is controlled via SCADA (Supervisory Control And Data Acquisition) systems, which allow remote monitoring of industrial processes such as electrical power grids, gas pipelines, water distribution systems, wastewater collection systems, nuclear power plants, etc. Traditional intrusion detection systems (IDS) cannot detect new types of attacks not listed in their databases, so they cannot ensure maximum protection for these infrastructures.The objective of this thesis is to provide additional help to IDS to ensure better protection for industrial systems against cyber-attacks and intrusions. The complexity of studied systems and the diversity of attacks make modeling these attacks very difficult. To overcome this difficulty, we use machine learning, especially one-class classification. Based on training samples, these methods develop decision rules to classify new samples as outliers or normal ones. This dissertation proposes specific one-class classification approaches, sparse formulations of these approaches, and an online approach to improve the real-time detection. The relevance of these approaches is illustrated on benchmark data from three different types of critical infrastructures
... In order to mitigate the cyber attacks related to substation automation, an intrusion detection system for IEC 61850 based substation automation system was proposed [8]. The work of [9] proposed a retrofit data logger solution and an intrusion detection system for serial communication based MODBUS and DNP3 in the substations. Temporal anomaly detection in a substation has been developed in the authors' previous work [10]. ...
This paper proposes a new network-based cyber intrusion detection system (NIDS) using multicast messages in substation automation systems (SASs). The proposed network-based intrusion detection system monitors anomalies and malicious activities of multicast messages based on IEC 61850, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Value (SV). NIDS detects anomalies and intrusions that violate predefined security rules using a specification-based algorithm. The performance test has been conducted for different cyber intrusion scenarios (e.g., packet modification, replay and denial-of-service attacks) using a cyber security testbed. The IEEE 39-bus system model has been used for testing of the proposed intrusion detection method for simultaneous cyber attacks. The false negative ratio (FNR) is the number of misclassified abnormal packets divided by the total number of abnormal packets. The results demonstrate that the proposed NIDS achieves a low fault negative rate.
... The work uses Snort and Quickdraw [53] to detect an attack in the SCADA system. Retrofit data logger [54] is used to capture Modbus RTU and Modbus ASCII network traffic. Captured traffic is required to be converted to Modbus TCP/IP before being transmitted over a closed virtual Ethernet network to allow Snort to capture the traffic. ...
The State of the Art in Intrusion Prevention and Detection analyzes the latest trends and issues surrounding intrusion detection systems in computer networks, especially in communications networks. Its broad scope of coverage includes wired, wireless, and mobile networks; next-generation converged networks; and intrusion in social networks. Presenting cutting-edge research, the book presents novel schemes for intrusion detection and prevention. It discusses tracing back mobile attackers, secure routing with intrusion prevention, anomaly detection, and AI-based techniques. It also includes information on physical intrusion in wired and wireless networks and agent-based intrusion surveillance, detection, and prevention. The book contains 19 chapters written by experts from 12 different countries that provide a truly global perspective. The text begins by examining traffic analysis and management for intrusion detection systems. It explores honeypots, honeynets, network traffic analysis, and the basics of outlier detection. It talks about different kinds of IDSs for different infrastructures and considers new and emerging technologies such as smart grids, cyber physical systems, cloud computing, and hardware techniques for high performance intrusion detection. The book covers artificial intelligence-related intrusion detection techniques and explores intrusion tackling mechanisms for various wireless systems and networks, including wireless sensor networks, WiFi, and wireless automation systems. Containing some chapters written in a tutorial style, this book is an ideal reference for graduate students, professionals, and researchers working in the field of computer and network security.
... The use of the Snort IDS to capture forensic evidence from industrial control system which use the MODBUS network protocol has been proposed in (Slay & Sitnikova, 2009). A data logger to capture and store MODBUS/RTU and MODBUS/ASCII network traffic was proposed in (Morris & Pavurapu, 2010). A retrofit intrusion detection system is described in MODBUS over Serial Line traffic includes two modes; RTU and ASCII. ...
Industrial control system communication networks are vulnerable to reconnaissance, response injection, command injection, and denial of service attacks. Such attacks can lead to an inability to monitor and control industrial control systems and can ultimately lead to system failure. This can result in financial loss for control system operators and economic and safety issues for the citizens who use these services. This paper describes a set of 28 cyber attacks against industrial control systems which use the MODBUS application layer network protocol. The paper also describes a set of standalone and state based intrusion detection system rules which can be used to detect cyber attacks and to store evidence of attacks for post incident analysis. All attacks described in this paper were validated in a laboratory environment. The detection rate of the intrusion detection system rules presented by attack class is also presented.
... We were also able to develop a forensics capture capability which captures and stores commands sent from the HMI to radio links, PLC's and RTU's (see Morris and Pavurapu 2010). Such a capability does not exist in today's ICS implementations. ...
In this paper, we describe the incremental building of a unique industrial control system laboratory designed to investigate security vulnerabilities and to support development of mitigating tools and techniques. The laboratory has been built over time in a modular fashion with representative sectors of the critical infrastructure included. For two years, a strong collaboration with universities in Australia has been established and is described. The work has been supported by the Department of Homeland Security, the National Science Foundation, and the National Security Agency as well as by participating industrial partners. While the laboratory does offer limited teaching support, its primary purpose is research. The authors have found the lab to be affordable, effective, and representative of systems employed in the nation's critical infrastructure.
