annarita giani, uc berkeley bruno sinopoli & aakash shah, carnegie mellon university gabor...

Annarita Giani, UC BerkeleyBruno Sinopoli & Aakash Shah, Carnegie Mellon University Gabor Karsai & Jon Wiley, Vanderbilt UniversityTRUST 2008 Autumn Conference, Nashville Tennessee

SCADA Systems and SecurityThe TRUST-SCADA Experimental

TestbedCurrent ImplementationFuture Directions

Supervisory Control And Data Acquisition systems are computer-based monitoring tools that are used to manage and control critical infrastructure functions in real time. Control Gas Utilities, Power Plants, Oil Refineries,

Power Utilities, Chemical Plants, Water Management, Traffic Control Systems, etc.

SCADA Master Provides overall monitoring and

control SCADA system SCADA Network

Provides communication between SCADA master and RTUs

Remote Terminal Units (RTUs) Local controllers that take

commands from SCADA masters Can perform simple PID control

Sensors and Actuators Provide means of measuring

infrastructure parameters and adjusting them

SCADA systems have significant lifetimes Most were designed without security in mind Most are now connected to new infrastructure SCADA Systems are difficult to upgrade

Adding security often means downtime SCADA systems contain embedded components SCADA networks are customized for each system

Need flexible, robust solutions that secure legacy SCADA systems and shape the design of the next generation

Assess vulnerabilities of current SCADA implementations

Provide and test solutions to address such vulnerabilities

Test innovative architectural and technological solutions for next generation SCADA

Provide an openly-documented, affordable, and highly flexible testbed for the TRUST community

Modularity: Must be able to model several SCADA

▪ Processes▪ Network architectures▪ Communications topologies, media, and protocols

Reconfigurability: Needs to be easily reconfigurable to test new

attack scenarios, solutions Remote access:

Should be available to remote users Accurate modeling:

Should be a realistic model of a real world process

Software SCADA Master

Software Communication

Simulation RTU Software Hardware

Simulation Plant Simulation

Hardware Servers SCADA Master

Controller Communications

Equipment RTUs

Simulink RTW Plant Model Simulation on xPC

High Speed I/O Interface

Robostix Microcontroller

12-bits of parallel digital data

8 channels of 12-bitanalog data

Gumstix/Linux Computer

sensor readingssetpoints

An adaptation of a publically available chemical plant model

Runs on xPC Target 4 processes 16 control loops 12 input variables 8 measured outputs Simulates 1 hour in

one second (controllable simulation speed)

Out 9

9

Out 8

8

Out 7

7

Out 6

6

Out 5

5

Out 4

4

Out 3

3

Out 2

2

Out 1

1

LogicalOperator 8

AND

LogicalOperator 7

AND

LogicalOperator 6

AND

LogicalOperator 5

AND

LogicalOperator 4

AND

LogicalOperator 3

AND

LogicalOperator 2

AND

LogicalOperator 1

AND

LogicalOperator

AND

HandshakeIn _87 _b37

PCI-DDA08 /12ComputerBoards

Digital Input4

HandshakeInScope

Target ScopeId : 1

DataScope

Target ScopeId : 4

DataBit 7_75 _b25


Digital Input8

DataBit 6_76 _b26


Digital Input7

DataBit 5_77 _b27


Digital Input6

DataBit 4_78 _b28


Digital Input5

DataBit 3_79 _b29


Digital Input4

DataBit 2_80 _b30


Digital Input3

DataBit 1_81 _b31


Digital Input2

DataBit 0_82 _b32


Digital Input1

ControlVar 9

In S/H

ControlVar 8

In S/H

ControlVar 7

In S/H

ControlVar 6

In S/H

ControlVar 5

In S/H

ControlVar 4

In S/H

ControlVar 3

In S/H

ControlVar 2

In S/H

ControlVar 1

In S/H

ControlScope

Target ScopeId : 3

ControlBit 3_83 _b33


Digital Input8



Digital Input7



Digital Input6



Digital Input5

CompareTo Constant 8

== 8


== 7


== 6


== 5


== 4


== 3


== 2


== 1

CompareTo Constant

== 0

Bit to IntegerConverter 1

Bit to IntegerConverter



AckOut_58 _b8


Digital Output1

Atmel ATMega128 Microcontroller8 channels of 10-bit A/D

Used for measuring analog sensor dataUp to 54 channels of digital I/O

Used for sending actuator setpoints to plant simulation

SCI, IICCan run simple

PID control loops

Gumstix 400MHz Linux ComputerRuns SCADA Master softwareReceives sensor and actuator

information from RTUsSends setpoints to RTUsSCI, IIC, Ethernet, Wifi

Locally controlled process

Remotely controlled process






Gumstix/Linux Computer

sensor readings(over Modbus)

setpoints(over Modbus)








Robostix

Gumstix Computer

Distributed controlusing Modbus

Distributed control using Ethernet

Robostix



Robostix

Gumstix Computer

Gumstix Computer

Robostix

Finish modular SCADA TestbedDevelop modeling tool for easy

configuration of testbedModel systems and demonstrate

vulnerabilities of current SCADA systems

Test solutions to address current vulnerabilities

Test new architectural solutions

annarita giani, uc berkeley bruno sinopoli & aakash shah, carnegie mellon university gabor...

Documents

generation scada

scada masters

downtime scada systems

generation slide

secure legacy scada

trust community slide

nashville tennessee

traffic control systems