final project ics
TRANSCRIPT
Cyber Security of SCADA System: Emerging Threats and Optimization of Functions for Vulnerability Assessment
Cyber security is the significant risk of an ICS system because of the potential intrusion into the online system. This report gives detailed concept about modern SCADA system architec-ture and characteristics of cyber-attacks targeting on a SCADA system. This article also proposes various attacks alleviation and detection techniques to improve the performance and protection of the SCADA system.
Gupta Smit Dipakkumar (R11478004)Department of Electrical & Computer Engineering
Texas Tech University Lubbock, Texas, USA
ABSTRACT — SCADA system is used to provide remote controlling, monitoring and sending and gathering information in power, oil & gas, water and wastewater industries. This document defines countermeasures of cyber attacks in the Industrial control system (ICS) of large-scale procedures which practices SCADA system. It also describes a development process that provides reliable defense strategies against cyber-attacks by using analytical methods to measure the vulnerabilities of a SCADA system, and its related computer architecture which mitigates various security vulnerabilities while preserving functionality, reliability, and performance.
INDEX TERMS— Control system, SCADA, Security, Vulnerability indices, Cyber-attack, Power system, Attack vectors, Defense techniques.
I. INTRODUCTIONSupervisory control and data acquisition (SCADA) system
is practiced in critical infrastructure to manipulate and monitor the large continuous processes. Critical infrastructure is made up of large interdependent processes, highly sophisticated devices and many loops and people so, vulnerabilities are high in this type of critical environments. The role of innovative communication protocols and the internet are making the SCADA system more vulnerable. The modern SCADA system includes three parts SCADA corporate network, SCADA network and field devices. The business network is usually related to performing commands, marketing, and email communication with the SCADA network with the use of the internet and due to this IT network SQL injection, phishing, etc. vulnerabilities are increased in SCADA system[1]. Although SCADA control center is highly secured, an intrusion may be launched on multiple devices through multiple ways. Therefore, the complexity of the detection and mitigation technique is very high. History of the cyber attacks on the SCADA system is very much wide. In past various attacks had been done on SCADA systems which involve computer
viruses, intruders, etc. That’s why all the industries are focusing on the security of the ICS system. To understand different attack vectors, vulnerabilities and mitigation techniques first the basic understanding of SCADA architecture is compulsory.
In this paper, the focus is on countermeasure of cyber attacks on the industry which employ a SCADA system and develop specific defense techniques to assuage the vulnerabilities while maintaining the functionality and performance.
In section 2, SCADA architecture, its different components, and their function are explained. In section 3, threats and vulnerabilities are defined. In section 4, optimization of security functions is proposed. In section 5, the conclusion is presented.
II. SCADA ARCHITECTURE SCADA system monitors and controls many critical
continuous industrial processes. By combined use of Human machine interface(HMI) and transmission system, it provides real-time monitoring and control[1]. It is data oriented and event driven system[2].
SCADA system consists of two parts which are network topologies and physical components. SCADA Components are processors, sensors, controllers, remote terminal units, actuators, communication instruments and host computers, etc. SCADA system monitors the data transfer between SCADA host computer and remotely located RTU or PLCs. At remote sites, sensors continuously measure the output of the particular processes/devices such as valves, circuit breaker, etc. This information is provided to PLC via a communication medium and PLC compare the measured output with the desired output and sends manipulated signals to the valves or circuit breaker to produce desired output. PLCs are connected to SCADA server via LAN or WAN. The host computer sends the request to the PLCs to send it data back to the host computers to check
the status of the process. In SCADA centers, devices like workstation, histogram, HMIs are interconnected by LAN which shows any error or problem in the data and tell the host computer to take individual action. Then the host computer commands the PLCs to change the specific values to get right results; This SCADA center is connected to the corporate network to give them a whole view about the process plan. To understand the working of each function intensively, SCADA system is subdivided into four parts.
Fig. 1: SCADA system block diagram [3]
A. FIELD DATA INTERFACE DEVICES Filed data interface devices such as water flow meter,
temperature alert meters, pressure valves are crucial in the SCADA system.[4] They guide the plant operators about the performance of the plant. They also provide signals to temperature control actuator, pressure switches which are connected to sensor/intelligent electronic device(IED) and PLCs. One problem with these group of devices is that the SCADA host computer does not understand the language of the field devices, so SCADA system must be provided with suitably converted signals so that It can check the status and issue some commands. Remote terminal unit(RTU) is used to convert and transmit the signal from the field devices into a signal compatible with the host computer over the communication channel.
To reduce the overhead on the SCADA host computer, in modern ICS PLCs are programmed in a specific way that it can issue some local commands to the field devices. It is also done because field devices do not have broad bandwidth so that it can communicate with the SCADA host computer directly over the communication channel. PLC is also used as a central controller in the small industrial process to control the simple operations. This methodology diagnostic and maintenance are
much easier to do. In modern systems, PLCs are used more commonly than RTUs. Basically they both are almost similar but in PLC it is compulsory to connect it with some communication channel so it can directly in touch with the SCADA system and change the field devices status immediately whereas in RTUs due to switching logic it can store some logic and modify the field device status without the help of the SCADA system.
B. COMMUNICATION NETWORKThe communication network is the medium through which
information is transferred from SCADA host computer to remotely located RTUs. Either radio, phone or cable medium may be utilized for the transmittal of signals and data. Line is used in small industries whose geographical area is diminished because the cost of transmission line is high. In large industries telephone lines are employed for the information transmission. The sometime leased line is used in the plant where the online connection between RTU and a server computer is needed. This is a little bit costlier because for every different site one leased line is required. If an update is frequently involved in the system, then dial-up line are used instead of the leased telephone circuits. The host can dial the number of the particular remote site to obtain admittance to that specific job.
With the telephone cables, remote sites are sometimes not accessible so instead of that radio modem is used and it is also more economical. It also provides online operations with the SCADA host computer. A problem with radio modem is that not all locations are tied in to the radio modems, and then in that areas radio, repeaters are set and then that it can link up to the radio modem.
Yet, in the modern SCADA system, these communication networks are replaced by the LAN OR WAN because they are economical and provide immediate data transfer even for long lengths.
C. HOST COMPUTERIt is likewise named the master station, and it is either
single computer or set of information processing systems which are joined to a server to execute man-machine operator interface. What the work of this computer to process the information which is received from the RTUs or sent to them and provides data to the human operator in the most uncomplicated configuration. Host computers connect to a human-machine interface (HMI), histogram and workstation via LAN/WAN link. By looking at the data on the HMI screens, the operator can check for any faults and monitor the continuous operation. The modern SCADA system comes with high-resolution graphic display tool to display graphical user interface.
Host computers work on UNIX architecture. Regular PCs are used as a host computer so connecting servers are those which are used for standard computers. So, nowadays it is possible to connect SCADA system with an office-based application like GIS systems, hydraulic modeling software, drawing management systems, work scheduling systems, and information databases[4].
D. OPERATOR WORKSTATION AND SOFTWAREOperator workstation is connected to SCADA host
computer via LAN/WAN connection. The host computer acts as a server, whereas operator workstation terminals act as a guest who requests and provide data on the host computer when they are required or requested. In a SCADA system either operator interface, human machine interface (HMI) or man-machine interface is employed as a software based on the size and nature of the SCADA system. The cost of the software is an important aspect of developing, expanding, or maintaining the SCADA system. Software must be well defined, designed and test to provide desired results.
Many SCADA software is vendors specified which mean that they can only interconnect with specific devices and can not interconnect with devices of other vendors. The solution for this is to use commercial off the shelf (COTS) software which provides more flexibility, and it can interconnect with devices of different vendors. The primary objective of the software should be on process and command purposes. Thus, to select specific software these things must be held in mind.
The following software is used in SCADA systems.1. Host computer operating system: Unix or another kind of
operating systems is used in the host computer to check and supervise the entire process works.
2. The operator terminal operating system: These kinds of software are responsible for networking between the server computer and other control center devices.
3. Host computer application software: This software is used to send and receive data from an RTU. It is likewise responsible for the alarms, mimic screens, and so on
4. Operator terminal application software: It provides data to user from the central server computer, and it functions with host computer application software.
5. Communication protocol drivers: These drivers usually prepare data according to the position of the RTU or control substance.
6. Communication network management software: This software is used to determine that there is no error in the communication network, which is established between RTU and control center.
7. RTU Automation software: They are responsible for local automation processes and maintenance & diagnostics of the remote devices.
There are three different types of SCADA systems. 1) Monolithic 2) Distributed 3) Networked. Out of which networked SCADA system is more advanced. The monolithic SCADA system was based on just simple functioning, and it has no connections with another system. Only WAN was used to communicate with the RTU. Even communication protocols were not properly projected in those organizations. In the distributed system, each remote processor is linked via LAN and share their data in the real time. It not only increases processing power, but also increases redundancy and reliability of the system. While the network SCADA system provides flexibility In the term of vendor selection and different devices. Wan connection is employed to make a connection between RTU and control center. So basically it is an open standard
system which uses IP or Ethernet protocols. In the incident of total failure of the plant, this system can survive the total loss of any one location.
E. SCADA COMMUNICATION PROTOCOLS In SCADA system when the master station requests or
sends some command, the RTU accepts a command to operate control access points and change the parameter of the devices and also request to the response. The data sent by RTU are identified by unique addressing which is already set in the master station database; The RTU has no knowledge about the data; its work is only to check some points and put the information in local addressing scheme. Common SCADA protocols are 1) International electrotechnical commission (IEC 60870-5 series) and Distributed networked protocol 3(DNP3).
1) IEC 60870-5-101: It is based on enhanced performance architecture model for efficient interconnections between RTUs, sensors and intelligent electronics devices (IED). It consists of user layer which is located between the application layer and application programs. That particular level provides clock synchronization and file transfer functions.
Fig 2. Enhanced Performance Architecture[4]
IEC 60870-5-1 (1990-02) which provides a basic specification for tele control application which is provided by physical and data link layers. So, it specifies a different requirement for coding, formatting and synchronizing to get data integrity.
IEC 60870-5-2 (1992-04) which provide a selection of transmission link methodology.
IEC 60870-5-03 (1992-09) which specifies certain rules for structuring application data unit.
IEC 60870-5-4 (1993-08) which specifies specific guidelines for specifying information, data elements (analog & digital processes)
IEC 60870-05 protocol also provides a connection between RTUs and IEDs. The protocol layer supports RS-232 and RS-485 standards as well as fiber optic interfaces. The format of the frame is decided from the 1990-02 based on required data integrity and maximum efficiency. Which mode to be used, either balanced transmission mode or unbalanced transmission modes are decided by the data link layer based on the data frame. It also specifies an address for each data link. 1192-04 provides send/no reply, send/conform, etc. functions, and it also defines rules for either of the transmission modes. It also represents certain Application Service Data Units (ASDUs) from a given particular architecture in (1992-09). It has following various application functions
Command transmission Data acquisition by polling Acquisition of event Station initialization Cyclic data transmission Transmission of integrated totals Test procedure Station initialization
It also defines a parameter to provide interoperability. In ICS 60870-05-101 different vendors describe their devices by protocol specialization like baud rate, link transmission procedure, ASDU field length, etc.
2) DNP3: DNP3 is based on an object modeling that highly reduces the bit mapping of the data which is usually demanded by other less object-oriented protocols. It also reduces the problem of status monitoring and control model which are found in protocols. DNP3 is highly used with the SCADA system because it is used to communicate between the control center and remotely located RTUs. DNP3 is designed in such a way that it can survive in any harsh environment, that’s why it is used in oil and gas, water treatment plants and chemical refineries. The disadvantages of Modbus are overcome by DNP3 protocols. It can communicate with multiple slaves at the same time without any problem and provides excellent error recovery. Priority assignment is also provided by the DNP3.
DNP3 uses 27 functional codes for communication between master and slaves. Out of which some codes are used by the master to request some data or to command some instructions. DNP3 supports two kinds of data. 1) Static data which are also called class 0 data 2) event data which have three different kinds of priority, high priority (1), medium priority (2), low priority (3). It also consists of two types of sets. The master set which includes master request command and command confirmation. Slave set contains response command. The message can be transferred from master to slave in four types of communication strategy. 1) quiescent mode- In this mode master can not poll the slave device but slave sends the report exclusion message to them and master sends application message frame to the slave 2) unwanted statement by exception-Communication is unsolicited, in this mode master directs integrity poles for class 0 data to check the status of the slave. 3) A polled report by exception- In this mode master sends the signal regularly instead of occasionally 4) static
report by exception- when only specific data are observed the master to use this kind of technique. Depending on the specific application either of is used.
• Open standard protocol• Classification of data field • Communication to multiple masters• Time-stamped data and shorter delivery schedules • Support for time organization • Protected verification and improved documentation• Diagnostic information for each I/O point • Report by exceptionDNP does not use all the 7 OSI model layers, but instead it
uses only four layers. 1. Physical layer 2. Data link layer 3. Transport layer 4. Application layer
1. Physical Layer: The main concern of the physical layer is with the physical media over which data and instruction are being transferred. It informs the upper layer and devices that data is coming from the receiving end and it handles the start and stop bit conditions, it also determines which type of media can be used to transfer specific kinds of data. Basically, in DNP3 uses basic serial layers such as RS-232C OR RS-485, and the physical medium may be either fiber or radio or satellite.
2. Data Link Layer: Data link layer establishes a link between sender and receiver. It also reduces the errors in the data. The first part of the data link layer is the data link header which is used for error minimization. It includes 16 bit CRC check. The data link control byte indicates the primary purpose of the data link frame and the status of the logical link. The data link frame contains data up to 256 bytes out of which 16 bits are used for the source address; other 16 bits are used to indicate destination address. The address data with a 16-bit start code, frame length and data link control bytes are included in the 10-byte data link header.
3. Pseudo-Transport Layer: Pseudo-transport later fits the application layer messages into different data link frames according to the format used by the application layer. A function code is used by this layer to determine whether the data link frame is the initial or the last frame. This layer also counts the number of frames so, at the receiving end, they can detect the missing frames. All confirmations and reliability are provided by this layer
4. Application Layer: Application layer receives the complete message from the transport later in the proper format and responds to the messages. The entire length of the received message is specified by the pseudo-transport layer. It also rebuilds the message frame based on the user’s application. This rebuilds message is once again sent to the pseudo-transport layer where it is segmented into the data link layer format then passed to the data link layer.
When a message is very long, The application layer divides the message into multiple messages and rebuild the structure of all the messages and send it to the transport layer one by one sequentially. So depending on the size of the message, the message may be either single fragment message or multiple
fragment message. Each application layer fragment starts with application layer header, which is followed by another header or message data. The application layer header consists of control and function code. The control code indicates whether the message is a single fragment or multiple fragments. It also indicates the sequence number of the fragments. The function code indicates the purpose of the message.
III. RISK AND VULNERABILITIES IN SCADAA major problem with SCADA system is due to SCADA
protocols because many of them are still operating in the traditional manner. To get accurate and efficient information from the network devices, SCADA protocols must be improved. Another problem with the SCADA system is that data received by either the master station or RTU may be not accurate and sometimes it is corrupted. This data can be corrupted by many phenomena like terrorists, hackers, hostile nations as well as natural phenomena and catastrophic events[5]. Another point is that Modern SCADA systems use open standard protocols and COTS software and hardware which increases the vulnerabilities in the system. COTS hardware and software requires common communication protocols such as IP and Ethernet protocols, both of these protocols are serial line based which leads to more risks.
There are three major types of SCADA attacks categories. 1) Intentional attack 2) Unintentional attack 3) collateral damage from viruses or malware or control systems failures and unintentional internal security consequences: improper testing or unauthorized internal system configuration changes. [6]
Often SCADA system is more complex, and that’s why to get accurate description about the error and location of the weakness and error, more precise and accurate techniques must be defined. Communication links and networks are an important part of the SCADA system that’s why any threats related to them can also be possible in the SCADA system. The control center networks are secured greatly. Therefore, it is very difficult to crack them, but as they are connected to some corporate networks and other subnetworks through the internet, some threats may come from those sources.
SCADA system threats are classified into many types such as authorization violation, unauthorized access violations of permission, information leakage, data modifications, substitutions, Trojan horse, tunneling, virus, worms, intercept, replay, bombs (logic or time, bypassing controls, browsing, illegitimate use, sabotage, spying, physical intrusion, trap door/ back door etc.[5].
SCADA system emerging attacks are divided into following types.1) Delaying or interrupting the flow of data through remote or control networks (denial of service); 2) Switching the programmed logic stored in PLCs, RTUs and SCADA system3) Sending false data and information to host computer or RTUs 4) Changing SCADA software or configuration settings;
5) Injecting malicious software into the SCADA system. The first type is backdoors and holes in network perimeter which includes Diagnostic server attack through UDP port[5], in this attack adversary will have the control of all the tools and it can read data, symbols though the assembly. This is very simple attack the even person with little or no knowledge of coding and programming can do this kind of attack. It also includes smurfing which is defined as to continuously send modified internet control message protocol packets to the network. If PLC acts on a modified message packet, it will give wrong commands to the actuators which may lead to the hazardous situation. A spoofing attack is also made on the ARP. ARP is used to convert IP addresses into medium access control addresses. An adversary can attack the system by sending fake ARP messages. Due to this system may be confused because of wrong media access control addresses. So packets are sent to the false station, and it will result in denial of service(Dos). Possible solutions for this kind of attacks are static media access control addresses and segmentation of the network.
The second type is based on vulnerability due to common communication protocols such as segmentation fault, buffer overflow, etc. All of this faults result in the potential exploit. For example, consider the TCP/IP in the Windows system although several security walls are there to defend the system, restrained to be online continuously because most of the time they do not have up to date security walls. I.e. WinNuke which is due to the absence of status flag URG in handling the TCP protocol; TearDrop/NearTear and Ssping that utilize interconnection error of disintegration handling in TCP/IP.
The third type includes communication hijacking and man in the middle attack. Men in the middle attack are also causing large damage in modern ICS systems. This attack is related to cryptographic communication and key exchange protocols. This type of attack can occur between two parties exchanging keys for secure communication. The adversary is in between two then intercept the signals that A and B send to one another and read the key exchange of both the lines and the user thinks all the things are doing perfectly. The adversary could inject some malware into the SCAD system and by doing this adversary can take the access of the entire system, crack the system firewall and create a connection with his platform.
The fourth type is cyber attacks on hardware such as PLC, sensors, etc. Attacks can be made either in two ways. In the first type called payload, construction is targeted the ICS but does not have full access to the system. It is used to read or gather the necessary data. For example, Duqu worm collects information about the targeted system. In the other type of attacks, it can change the parameters and values of the devices. As a result, change the entire behavior of the system. Two stages are involved in this type of attack. In the 1st compromise stage it breaks the system security in a most efficient way and the 2nd payload stage, the reconstructed payload is installed into the system. The construction of the payload depends on the type of attack adversary. The payload is of two types. In the targeted payload, a specific device is chosen, and attack will focus on that specific device while in the indiscriminate
payload the common payload is constructed which will cause damage to less vulnerable devices like PLCs and sensors. Sometimes malware can develop its payload after gaining access to the system. In this process malware crack the security and develop a payload which cracks as many safety properties as possible. It also identifies main timing loop of the process and then develops a payload that can change the timing loops. However, it has some problems also. The constructed payload does not have any knowledge about the system so it may not cause damage to the system. And the second one is the payload delivery may not be stealthy so sometimes it is easily recognized by the operator. Sometimes due to proper security and the obscure system it is not possible for the malware to generate payload. In the targeted payloads, it damages particular device to change its value or parameters. For example, in the case of PLC control logic does not reveal that which physical device are controlled by which program variable. Malware will construct a payload in such a way that it can alter the function of the PLC, but it does not have the knowledge of the behavior of the ICS and mapping information. A tool called SABOT is used to analyze the PLC code and map the behavior of the memory addresses so that malware can construct specific payload to damage the ICS devices. The second type is False Data Injection(FDI). Sensors are the main target in this type of attack because sensors are directly connected to the controller. Malicious values are delivered to the malware from the adversary who can change the result of the sensor and as a result output of the controller will change which may cause damage to the entire process. For example, if the pressure in the boiler is high but due to malicious code sensors shows that it is still low, so controlled cannot open the valve. This is called false data injection(FDI).
The fifth type is related to database attacks. The most common attack on the database is structured query language(SQL) injection. It occurs when the operator tries to upload some data of the plant on the web. Failure results in some SQL queries in the database.
Also, there are various ways to penetrate the SCADA system network conditions. VPN, wireless connection, dial-up connection, remote login programs and Trojan horses[7]. By using these, information can be acquired from any devices and IP address can also be determined using these methods.
Damages due to cyber attack are 1) loss of information 2) economic load 3) equipment damage 4) loss of load[7]. Which depends on the amount of success of a cyber-attack. Two types of cyberattacks are possible
Directed attacks: This attacks can cause short-term effects, and it can be determined by its behavior. It includes Dos attacks due to which whole SCADA system shuts down, deleting the file system, etc.
Intelligent attack: These attacks are very well planned, and it requires intense SCADA system knowledge. For example to change the specific process parameter value in the PLC to damage the plant, in-depth knowledge of the entire plant system and PLC programming must be required.
IV. DIFFERENT METHODS FOR VULNERABILITIES ASSESSMENT IN SCADA
A. MODELLING FOR THE VULNERABILITY EVALUATIONThe modeling method consists of two models 1) cyber net
model 2) power flow simulation [7]. A cyber net provides the information about the potential intrusion, its issues, and status. Power net gives steady-state behaviors of the complex system. By combining these two models provide, we can measure the effect of cyber-attack on the SCADA system. This method uses for different purposes such as to model the access control points on the system, designing of the SCADA intrusion detection system, simulation of the designed model to evaluate the impact based on power flow simulation, to improve cyber security.
The above-combined model can be described in three levels. 1) system 2) scenario 3) access point[7].
Figure 3. Flowchart of vulnerability modeling
This method is implemented in visual basic to define the interaction between SPNP and MATLAB. XNL file is used to store the simulation model of the system, and this file is used to generate secondary filed named c-based SPNP language. This is done by the algorithm and definition include password and firewall methods.
a) SYSTEM VULNERABILITYUnits In this model system is wide area based IP computer
communication network which provides interconnection between the control center and remote stations. To define system vulnerability, we should consider few conditions. First, the potential intrusion scenario occurs at one remote station is independent of the other remote station's potential intrusion scenarios. Second, There is no direct connection between remote station and control center network. However, Connection between these two can be made using VPN.
System vulnerability is defined by maximum vulnerability levels per number of scenarios,
Vs= max<v{i}>
b) SCENARIO VULNERABILITYIntrusion scenario includes all the steps of attempted attacks
which were done on either remote devices or the SCADA system. Remote stations are connected to the load in the process plant. These remote stations communication networks are interconnected with automation systems and distribution operating counters. The total number of the set of scenario is based on a total number of remote stations working with the IP-based communication network. Each scenario is related to three cases. Station with no load or generator, a station with only load and station with no load and generator.
Each scenario is used to determine the effect on the system based on loss of load, scenario vulnerability is,
V(I)= {V(i1), V(I2)……V(K)}
c) ACCESS POINT VULNERABILITYAn access point gives the service of the port to create
intruder connection to infiltrate the SCADA computer system. Traditional set of the scenario of different vulnerabilities is used to define the potential impact. IF number of access points are S, then the scenario vulnerability is defined by the weighted sum of the damage over the total number of access points.
Where, (pie j) is the attack steady state probability of SCADA. (Gamma j) is the factor which is used to define the impact on a power system when the load is disconnected. To achieve a high level of SCADA network security two specially designed models are developed which are Firewall model and Password model. FIREWALL MODEL: Firewall is the cyber security defense model which keeps an eye on the flow of packets be-tween two connecting networks. Firewall rules are set to pre-vent unnecessary traffic in the network. They give the high-level concept on penetration transitions for each set of scenario There are many security trust level in the firewall structure. These rules are based on the follow-ing criteria
1. Protocol type2. Incoming and outgoing traffic
3. Port service range4. IP address range
These criteria are already installed in the firewall model, and it can also be used online to detect the malicious behavior of the system. But network traffic is very high every day, so it is not possible for the system operator to observe it using the existing database. That’s why commercial add-ons firewall analyzer is used to detect any malicious conditions in this database. The malicious packet in the network flowing through must be identified. In consumption with denied traffic data, this type of malicious packet data is also useful to control the probability of cy-ber attack incidences either being approved ac-cess or being attempted.
Fig. 4 Firewall model For n number of rules, firewall model con-sists of n number of paths as shown in above fig-ure. Feedback path provides a response to the at-tacker starting with the circle representing the rules. Datasets can be read in two ways 1) the number of traffic disallowed compared to a over-all traffic 2) the number of malicious traffic flow through the firewall compared to total records. The vertical paths through the circle representing rules show the number of successful attempts. Solid bar signifies a firewall saturation probability which can be premeditated from the firewall log. There are two terminals which are con-nected to the other subsystem. Some network consists of three nodes; the third node is demili-tarized zone is designed by linking two firewall
modules in series. The specific rules depends on the construction of the firewall model if the rules are very large then only a few rules considered malicious are implemented in the formulation. The circle represents the rejection or admission to each rule. The probability that malicious pack-ets passing through a firewall on an individual rule can be given by,
The probability of malicious attack going into the firewall rule P is the ratio of F(frequency of malicious packets)/N(total number of packets in firewall rule j). The another equation is for some packets being rejected which is the ratio of some rejected packets by the total number of packets in the firewall rule j.
PASSWORD MODEL: Password model is used to calculate the number of penetration attempts on the system using the data of repeatedly failed login without implementing authentication credentials. These data is stored in the computer system for analysis. This model consists of two different components which are failed login probability and response rate. The failed login probability is described by the number of failed login attempts while response rate represents the performance of the computer system which defines the credential. With the use of these two parameters, we can know the intrusion attempt behavior and the speed of the each attack on each machine.
Fig. 5 Password model The password model has two two nodes and two transitions which represent potential intrusion status. The solid bar is aligned to transition probability which some penetrating attacks on the system. The empty bar represents the response rate with system respond to the attacker. The transition probability is given by the number of intrusion attacks divide
by a total number of records. If there is a login within a specified time after many failers that can no be count as an intrusion instead, it is counted as a typographical error.
B. ATTACK TREE MODELLING An attack tree is a graphical representation that combines
one attack leaf from each node [8]. It is a hierarchical structure with the most dangerous attacks on the top and less one on the bottom of the tree. This model is used to achieve the goals of security. The top node of the tree consists of all the information and task to be performed. Every attack leaf includes one or more defense nodes which are directly attached to that attack[9]
Fig. 6 Attack leaves with AND and OR Vulnerability indices are based on evidence of total
invasions, countermeasures, and password policy. C1 is defense node for the attack on the left-hand side leave. A leaf may have different potential intrusions based on node interconnections. Each attack leaf is always connected with logic operator AND or OR. For an AND type attack model, all the attack leaf must be penetrated to move up while in the case of OR modeling penetration in one leaf is sufficient to move upward in the attack tree. The cyber security vulnerability index is defined as the probability that attack tree or attack leaf will be attacked by the adversary. Since all the devices in SCADA system are somewhat vulnerable, each attack leaf may have some vulnerability. That’s why this index ranges between 0 and 1. The system has vulnerability index for each of the attacked leaf as well as common vulnerability index for the whole system which also ranges from 0 to 1.
Fig. 7 Rules for vulnerability indexAccording to condition 1, System doesn't have any
evidence about intrusion attempts. So condition 1 is false when the system has accurate evidence of the attempts of attack. Condition 2 is true when there is one or more than one countermeasure are there per one attack leaf. So, all the defense
techniques must satisfy this condition. Condition 3 is true when the system is protected by the password to prevent any unauthorized access. Condition 1 is based on condition 2 and 3. For example, the new defense technique can reduce the attack on the system or new password policy can reduce the possibility of the attack on the system.
C. SCADA SECURITY RESEARCH CHALLENGESResearch is continuously done to make the SCADA system
more robust and reliable. In order strengthen then SCADA system three challenges must be kept in mind[10]. The first challenge is to enhance the access controls to the SCADA system. The solution should be provided in such a way that it will be hard for the intruder to get into the arrangement. The second test is to advance the inside security of the SCADA system and to develop advanced security monitoring devices. The security devices must be constructed in such a way that even if an attacker manages to enter into the system, he cannot access any individual devices, and also device should also help to sense intrusions and other malicious activities. The third task is to enhance the security management.
1. Access Control: This is the first and most important task for securing the SCADA system. It is important to ensure that adversary does not enter into the system. That’s why improving the access control point is the crucial aspect. Defining perimeter is the biggest challenge in this task because most of the SCADA networks are connected to the corporate network and other systems using advance protocols. Apart from these internet protocols, there are also some other links like telephone lines and wireless systems. So access control policies must be clearly defined and must be supported by strong management steps. The internet protocol is used to provide information between the control center and corporate network, but it does not have much security features.. Authentication is the first step to accomplishing robust access control. Authentication is generally established by developing and conveying login accounts only to authorized users. So, it is essential to develop protocols that offer strong security techniques to ensure confidentiality, authenticity, integrity, and privacy But like other system password-based authentications have several drawbacks as passwords are very easy to crack. To overcome this limitation smart card based authentication system is currently being developed. The smart card can store the user password and also improves the key management of the SCADA system. Again, these system has several limitations.
2. Firewalls and intrusion detection system: Firewall pre-vents an unauthorized traffic from entering into the net-work.So basically it prevents the establishment between out-side internet network and SCADA network. Firewalls are de-signed in such a specific way that it allows traffic which be-longs to certain defined protocols. I.e. if SCADA system only uses DNP3, firewall only allow the DP3 traffic. The firewall also monitors the unauthorized penetrating attacks on the sys-tem. Sometimes corporate network has some access to change
the absolute values in the SCADA system; firewall system also tracks that this access is limited to only a few parameters and controls. 3-zone firewall system is best for the SCADA system. 3-zone architecture divides the network into three sepa-rate zones which are the SCADA network, the corporate net-work and the demilitarized zone (buffer zone between above two zones) [5]. The reality is that very few firewall are there which are capable of providing security to the SCADA sys-tem. Cisco Systems Inc. has developed an open standerd Linux-based firewall that is capable of filtering MODBUS packets in the SCADA system[10]. Another technology is based on the development of micro firewalls that can be em-bedded within each SCADA system. One thing is firewall should work in conjunction with the potential intrusion detec-tion system. IDS are not capable of detecting suspicious be-haviors of the SCADA protocol. IDS are more difficult con-struct than the firewall because firewall can be constructed by having just knowledge of SCADA network structure while de-velopment of IDS requires knowledge of vulnerabilities of all the SCADA protocols.
3. Protocol vulnerability assessment: Modern protocols are standardized and well defined. Any changes to these proto-cols can be time-consuming and may suffer from delay. So ba-sically, first it is necessary to understand the vulnerability as-sociated with the system before implementing any changes in the SCADA protocols. Understanding of the protocol vulnera-bility may also help to improve intrusion detection. Analyzing of protocols helps to identify to kind of vulnerabilities 1) which are inherent in the protocol specification 2) which are due to improper implementation of the protocol. Out of these two, it is easier to mitigate the vulnerability due to improper implementation. Both of these vulnerabilities should be im-proved to achieve the secure system. Firstly, it is important to find these vulnerabilities in the system, and their potential flaws and exploitations must be un-derstood to develop the standard defense techniques to en-hance them. Vulnerability assessment is typically a highly complex process. The research is being done on the taxonomy of the vulnerabilities to provide a standard framework for the security assessment. Database of different vulnerabilities is re-quired to develop the taxonomy of the vulnerabilities. But the problem with this is that there are no public databases of SCADA vulnerabilities, so to develop taxonomy work should be done on the particular system in depth. Flow hypothesis methodology is sometimes used as a common SCADA data-base. The final taxonomy defines the vulnerability based on security property which was violated by the attack.
4. Cryptography and Key Management: Much crypto-graphic are available to improve the SCADA system security problems. SCADA protocols do not support any cryptography because of a characteristic of the SCADA network is complex, so it is difficult for the system to adopt cryptographic methods for example low data transmission rate, the requirement for a real-time response, etc. But they are used to secure these pro-tocols. Wireless networks are similar to this cryptography, so techniques have been developed to implement this into the
system. An overview of the different problems arrived while implementing cryptography are provided in the AGA-12 re-port, and different technique to fit the cryptography into the SCADA system are also given. The main purpose is to main-tain performance requirement while providing message in-tegrity assurance. This goal can be achieved by connecting cryptographic module at the end of the SCADA serial link. By doing this, each timing module encodes the message packet before sending to the receiver. And on the other side, the mod-ule descript every message packet. This is called position em-bedded cryptography. In the cryptography technique the SCADA system which has series of packets within the mes-sage, the module assign a number to each of the packets so at the receiving end it compares the position number, so it is dif-ficult for the attacker to inject any malicious packet into the system. Key management is an important aspect to get successful cryptography. SCADA system has unique key management re-quirement, so it is difficult to define it in the SCADA system.
5. Device and OS security: The security of the individual device is very crucial for the overall SCADA system security. Many devices in the SCADA system are embedded computing devices which operate on real time operating. Compared to other operating system RTOS are very much prone to the Dos attacks because the even small change in the device parameter may lead to signification loss in system availability. To main-tain the OS security first vulnerability assessment of embed-ded OS must be analyzed. It also requires the work difference between the embedded OS and RTOS. Embedded OS are smaller than other general operating system; proofs might be developed in this kind of system. In electric power grid SCADA system there are very nodes which don’t have any physical protections. So basically they don’t have any temper resistance. An attacker may enter into the system through these typical nodes and may gain access to the entire system. To avoid this kind of problems tamper resis-tance features are provided to each unprotected node such as wrapping boards with sensors or using special materials such as polyurethane but they are expensive [8].
6. Security management: The set of security objective is called the control framework[10]. This can be improved by us-ing good security plans and implementation guideline. It is also necessary that the entire system must have well-defined configuration management as well as auditing and assessment plans. The security policies must be well defined to achieve robust SCADA system. Security is the continuous process. Vulnerabilities must constantly be monitored, and software and hardware must be checked and updated continuously and must be secured with the latest patches.
V. CONCLUSION The modern SCADA system uses common operating
systems and Internet protocols as well as they are plugged into
the corporate network which leads to cyber attacks. That’s why SCADA security must be improved. There are many methods for vulnerability mitigation as well as many organizations are working on this issue, but many vulnerabilities and challenges are still there. This paper shows certain threats and mitigation techniques to improve the overall security of the SCADA system. By applying this basic techniques attacks may be prevented to some content and SCADA security can be enhanced.
REFERENCES
[1] F. Daryabar, A. Dehghantanha, N. I. Udzir, N. F. B. Mohd Sani, and S. Bin Shamsuddin, “Towards secure model for SCADA systems,” Proc. 2012 Int. Conf. Cyber Secur. Cyber Warf. Digit. Forensic, CyberSec 2012, pp. 60–64, 2012.
[2] S. H. Kim, J. H. Eom, and T. M. Chung, “A study on optimization of security function for reducing vulnerabilities in SCADA,” Proc. 2012 Int. Conf. Cyber Secur. Cyber Warf. Digit. Forensic, CyberSec 2012, pp. 65–69, 2012.
[3] I. Ghansah, “Smart Grid Cyber Security Potential Threats, Vulnerabilities And Risks,” Pier, no. May, p. 93, 2012.
[4] Office of the Manager National Communications System, “Supervisory Control and Data Acquisition ( SCADA ) Systems,” Tech. Inf. Bull. 04-1, no. October, p. 76, 2004.
[5] N. IGNAT, “Dependability and vulnerability of SCADA Systems,” Ann. Oradea Univ. Fascicle, no. May, 2014.
[6] K. Stouffer, J. Falco, and K. Kent, “Guide to Industrial Control Systems ( ICS ) Security Recommendations of the National Institute of Standards and Technology,” Nist Spec. Publ., vol. 800, no. 82, 2008.
[7] C. W. Ten, C. C. Liu, and G. Manimaran, “Vulnerability assessment of cybersecurity for SCADA systems,” IEEE Trans. Power Syst., vol. 23, no. 4, pp. 1836–1846, 2008.
[8] A. P. Moore, R. J. Ellison, and R. C. Linger, “Attack modeling for information security and survivability,” Tech. Note C., vol. 17, no. March, pp. 15–33, 2001.
[9] C. W. Ten, C. C. Liu, and M. Govindarasu, “Vulnerability assessment of cybersecurity for SCADA systems using attack trees,” 2007 IEEE Power Eng. Soc. Gen. Meet. PES, vol. 2, pp. 1–8, 2007.
[10] V. M. Igure, S. A. Laughter, and R. D. Williams, “Security issues in SCADA networks,” Comput. Secur., vol. 25, no. 7, pp. 498–506, 2006.