• Save
Critical state based filtering system for securing scada network protocols
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
492
On Slideshare
492
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 59, NO. 10, OCTOBER 2012 3943Critical State-Based Filtering System forSecuring SCADA Network ProtocolsIgor Nai Fovino, Alessio Coletta, Andrea Carcano, and Marcelo MaseraAbstract—The security of System Control and Data Acquisition(SCADA) systems is one of the most pressing subjects in indus-trial systems, particularly for those installations actively using thepublic network in order to provide new features and services. Inthis paper, we present an innovative approach to the design offiltering systems based on the state analysis of the system beingmonitored. The aim is to detect attacks composed of a set of“SCADA” commands that, while licit when considered in isolationon a single-packet basis, can disrupt the correct behavior of thesystem when executed in particular operating states. The proposedfirewall detects these complex attacks thanks to an internal rep-resentation of the controlled SCADA system. Furthermore, wedetail the design of the architecture of the firewall for systemsthat use the ModBus and DNP3 protocols, and the implementationof a prototype, providing experimental comparative results thatconfirm the validity of the proposed approach.Index Terms—Critical state analysis, cyber security, firewall,SCADA systems.I. INTRODUCTIONMODERN Industrial infrastructures (e.g., power plants,water plants, smart grids, chemical installation, etc.)largely make use of ICT technologies [1]. In the last years, thosesystems started using the public network for system-to-systeminterconnection. As a result, it has been possible to provide newservices and features (implementation of the Energy Market,Energy Smart Grids, remote maintenance and optimization,self-orchestrating distributed industrial systems, etc.). How-ever, this connectivity has exposed industrial installations tonew sources of possible threats. Several studies [2], [3] haveproved that modern industrial critical infrastructure are exposedto the traditional computer attacks and threats of typical ITsystems. The core of industrial installations is traditionally theSystem Control and Data Acquisition (SCADA) infrastructure.Due to their peculiarities, even if based on ICT technolo-gies, they are far from the classical “ICT devices, protocolsand systems.” For that reason, as showed in [4], traditionalICT security technologies are not able to adequately protectManuscript received December 14, 2010; revised May 13, 2011 andOctober 29, 2011; accepted November 15, 2011. Date of publicationDecember 21, 2011; date of current version April 27, 2012.I. Nai Fovino and A. Coletta are with the Global Cyber Security Center,00144 Rome, Italy (e-mail: igor.nai@gmail.com; alessio.coletta@jrc.ec.europa.eu; GCSEC, www.gcsec.org).A. Carcano is with the University of Insubria, 21100 Varese, Italy (e-mail:andrea.carcano@gmail.com).M. Masera is with the Institute for Energy, European Commission (e-mail:marcelo.masera@jrc.ec.europa.eu).All the authors were previously with the Joint Research Centre, EuropeanCommission, 1049 Brussels, Belgium.Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TIE.2011.2181132industrial installations from ad-hoc SCADA-tailored attacks.Security of networked control systems is an important concernin literature [5], [6]. In this paper, we present a new approachto the analysis and the filtering of malicious packets basedon the concept of Critical State-Based Analysis tailor-madefor analyzing Modbus and DNP3 traffic, aimed at identifyingcomplex attacks which might interfere with the state of theentire industrial installation. The paper is organized as follows:after presenting in Section II the related works, we providein Section III an overview of the typical SCADA systemvulnerabilities. In Section IV, we present the Critical State-Based approach, while in Section V, we describe the languageused to express the critical states. In Section VI, we providea formal definition of the concept of Critical State Distance.In Sections VII and VIII, we provide the description of theprototype developed, and we present the results of our tests.Finally, in Section IX, we present our conclusions.II. RELATED WORKSThe core of SCADA systems is constituted by the industrialprotocols used for exchanging data and commands. Adam andByres [7] presented a high-level analysis of the possible threatsaffecting a power plant system, a categorization of the typicalhardware devices involved, and some high-level discussionabout intrinsic vulnerabilities of the common power plant archi-tectures. A more detailed work on the topic of SCADA securityis presented by Chandia et al. [8]. In this paper, the authorsdescribe two possible strategies for securing SCADA networks,underlying that several aspects have to be improved in order to“secure” that kind of architectures. Mander et al. [11] presenteda proxy filtering solution aiming at identifying and avoidinganomalous control traffic. The proposed solution is extremelyinteresting; however, it does not protect the system against twoparticular scenarios: 1) the scenario in which an attacker isable to inject malicious packets directly in the network segmentbetween the proxy and the remote terminal unit, and 2) thescenario in which both the proxy and the master have been cor-rupted and collaborate in order to damage the process network.The increasing usage of standard information and commu-nication technologies (ICT) in SCADA systems enables to usecommon security measures as shown in [9], [10]. However, asproved in [3], [4], traditional firewalls fail in detecting attackpattern specifically designed for SCADA protocols, since theseprotocols are usually coded at application level into the classicalTCP/IP stack.What we propose in this work, i.e., to detect attacks byanalyzing whether the system is entering into a critical state,has some similarities with what has been done in the Fault0278-0046/$26.00 © 2011 IEEE
  • 2. 3944 IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 59, NO. 10, OCTOBER 2012Detection and Diagnosis research field, and more specificallyin the model-based fault detection area, which makes use of thelimit-value based supervisory functions, to monitor measurablevariables in search for invalid values or, in case of automaticprotection functions, for triggering counteractions to protectthe process [21]–[23]). However, these approaches cannot beadopted to discriminate between cyberattacks and accidentalfaults, and do not provide an easily computable critical stateproximity metric, which are the main contributions of thepresent work.III. SCADA SYSTEM VULNERABILITIESSCADA systems are widely used in industrial installationsto control and manage field sensors and actuators. They areusually composed by 1) Programmable Logic Controllers(PLC), acting as a slave in the master/slave architecture and2) Master Terminal Unit, controlling the PLCs and gatheringfield data.The core of the control flow of every SCADA system isprotocol for communication and commands between Masterand Slaves. In our work, we consider Modbus and DNP3 pro-tocols. The majority of SCADA systems have been conceivedoriginally for serial communication when security was notcrucial for control systems. The porting of Modbus and DNP3over TCP/IP has opened new possibilities to attackers motivatedto cause damages to target industrial systems. In particular,those protocols.1) Do not apply any mechanism for checking the integrity ofcommand packets between Master and Slave.2) Do not perform any authentication mechanism betweenMaster and Slaves, i.e., everyone could claim to be the“Master” and send commands to the slaves.3) Do not apply antirepudiation or antireplay mechanisms.4) Do not provide any mechanism to preserve the the fielddevices and SCADA servers network availability.These security shortcomings can be used by malicious usersto perform different kind of attacks.• Unauthorized Command Execution: The lack of authen-tication between Master and Slave can be used by attackersto forge packets which can be directly sent to a pool ofslaves.• SCADA-DOS: On the basis of the same principle, anattacker can also forge meaningless Modbus/DNP3 pack-ets, always impersonating the Master, and consume theresources of the RTU, making these devices unavailableto the SCADA servers.• Man-in-the-Middle (MITM) attacks: The lack of in-tegrity checks allows attackers to access the productionnetwork for implementing typical MITM attacks, modi-fying the legal packets sent by the master.• Replay Attacks: The lack of antireplying mechanismsallows attackers to re-use captured legitimate Modbus/DNP3 packets.Finally, on top of these classes of attacks, since antirepudi-ation mechanisms are not implemented, it is hard to prove thetrustworthiness of malicious Masters, which could have beencompromised.Fig. 1. Example of attack based on chains of licit commands.IV. CRITICAL STATE-BASED FIREWALLThe core of modern firewalls is the classical signature-basedapproach, where rules describe the characteristics of thosepackets that might be part of a cyber attack and that, for thatreason, must be blocked. However, in the process control sys-tems, this approach does not guarantee a complete protection.In the example in Fig. 1, high pressure steam flows in a pipe.The pressure is regulated by two valves (VIN and VOUT ). Anattacker able to send packets on the process network sends aDNP3 packet to the PLC controlling VOUT in order to force itscomplete closure and a command to the PLC controlling VINin order to maximize the incoming steam. It is evident how suchcommands, when considered locally, will result perfectly licit,while altogether they will lead the system to a critical state. Thiskind of attack scenario can be hardly detected by the currentgeneration of firewalls since the “close VOUT ” packet, beinga perfectly licit command, may be needed in certain operativesituations and cannot be inserted in the set of forbidden trafficof a firewall.In order to cover this gap, a firewall should know exactly:1) The architecture of the system under control, 2) the actualstate of that system, 3) the operative meaning of the SCADAcommands flowing between master and slaves, and 4) the set ofunwanted (critical) states.With this knowledge it is possible to identify if a commandsent on the network in a certain moment is able to drive theSCADA system from a “secure state” to a “critical state,”and in that case to avoid the occurrence of the critical stateby blocking that command at network level. Moreover, byintroducing a distance metric allowing to measure the proximityof the current state of the system to a set of possible criticalstates, it is possible to provide the firewall with a sort of earlywarning module, able to alert the operators when the processsystem is dangerously approaching (but not yet reaching) acritical state. The approach proposed in this work, based on thecoordinate monitoring of the evolution of the target system’sstates combined with the analysis of the command packetsflowing between the Master and the slaves of the SCADAsystem, follows exactly what just described.
  • 3. NAI FOVINO et al.: CRITICAL STATE-BASED FILTERING SYSTEM FOR SECURING SCADA NETWORK PROTOCOLS 3945From a functional point of view, the following elementsare required for tracking and analyzing the evolution of asystem.• A system representation language to describe the systemunder analysis in a formal way.• A system state language to describe in a formal way thecritical states associated to the system under analysis.• A state evolution monitor to follow the evolution of thesystem.• A critical state detector to check whether the state of thesystem is evolving toward a defined critical state.• A critical state distance metric to compute how close anystate is with respect to the critical states.V. RULES DEFINITIONIt is necessary to define a language allowing to express theanalysis rules. In this section, we provide a brief definition oftwo languages we have designed for this purpose.A. Packet LanguageThe packet language is developed in order to representexactly the content of a SCADA packet. As claimed before,we concentrate our attention on Modbus and DNP3 protocols.We split the signature definition in two part: the first oneis composed by all the common fields independent from theprotocol, and a second part with all the typical protocol field.More in details, in our language, a packet signature has thefollowing format:{Src|Dest|SrcPort|DestPort|SpecificProtocolFields}where:• Src is the IP address of the packet sender.• Dest is the IP address of the packet receiver (e.g., the IPaddress of a PLC).• Src Port is the TCP source port used for thecommunication.• Dest Port is the TCP Destination port used for thecommunication.• Specific Protocol Fields: it is a special field containingthe list of the specific fields related to different indus-trial protocols. Our firewall at the moment supports twoindustrial protocols: Modbus and DNP3. In the case ofrules regarding the Modbus protocol, this special field willcontain two subfields:– Function is the Modbus function invoked by thesender.– Payload contains all the data/parameters requiredby the invoked Modbus function.In the case of a rule regarding the DNP3 protocol, thisspecial field will contain elements such as:– DNP3 source address is the DNP3 address ofthe packet source (which is different from the IPaddress).– DNP3 destination address is the DNP3 address ofthe packet destination (which is different from theIP address).– Function code is the DNP3 function invoked by thesender.– Data object specifies the DNP3 data object associ-ated to the function code.– Variation specifies the DNP3 object variation.– DNP3 fields: we defined a tag for each DNP3special field.B. System Description and Critical State RepresentationThe language used for describing the system and its criticalstates follows:rule::=condition → actioncondition::=predicate|predicate, conditionpredicate::=PLC[ID].comp[16bit_integer]realvalueID::=IPaddress : Port ∈ { , , <, >, =, =}comp::=HR|IR|CO|DI action::=Block|Alert Log.A rule has the form condition → action. condition isa boolean formula composed of conjunctions of predicatesspecifying critical values. If the current state of the sys-tem satisfies condition, then action (block, alert, log) isperformed.The state of the system is defined by the values of its compo-nents. Given a set of critical state rules, only components whichoccur in these rules have to be monitored. In the presentedapproach, critical state rules language is used also to formallydescribe the system to be monitored. This description is ana-lyzed (see Section VII) in order to generate a software virtualimage of the system which is kept up to date and provides thefirewall with the current state of the system.A SCADA system will be consequently represented as anenumeration of its components. Each component has the formPLC[ID].comp[16bitinteger] and identifies the value ofa register in a PLC. Components represent several kind ofequipment, and their values are numeric, like boolean, integers,or floating point. For every system, there exist n componentvalues fully identifying its state, thus any state of the systemcan be represented as a vector s belonging to Rn.Given this system description, we are interested in identify-ing combinations of components and values that correspondto particular states of the SCADA system, and among themtypically unwanted events that may harm the integrity and thefunctionalities of the system being monitored. We refer to suchstates as critical states, which are identified by critical staterules. In detail, each condition is a list of predicates indicatingcritical values of system components. A condition is satisfiedif all predicates are satisfied. If a state satisfies a condition of acritical state rule, then it is a critical state. In other words, theset of critical state is the subset CS ⊆ Rnof states satisfying atleast one condition in the critical rules.Example 1: Consider a simple system with a hot water boilerand a cooling fan of the boiler. Assume that the cooling fan must
  • 4. 3946 IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 59, NO. 10, OCTOBER 2012spin at a minimum speed of 4500 rpm when the temperatureis higher than 72◦. We want to detect attacks that violate thisconstraint. Suppose that the value measured by the thermometerof the boiler is stored in the first holding register of the PLCwhich respond to the address 10.0.2.31:502 and that the rotationspeed of the fan is stored in the second holding register of thePLC responding on 10.0.2.45:502. Then, the following criticalstate rule makes the firewall block any command leading to astate that does not satisfy the previous constraint:PLC[10.0.2.31 : 502].HR[1] 72,PLC[10.0.2.45 : 502].HR[2] 4500→ Block.This simple example system has only two component values;thus, any state can be represented by a vector in R2. Sup-pose that the water temperature is mapped to the first vectorcomponent and the fan speed to the second one, the stateu = (60, 4000) is a licit state, while v = (80, 4000) is critical.The configuration of the rules is not a trivial activity andmust be performed by expert technicians. However, this is truefor every rule-based firewall. The difference here is that theconfiguration, dealing with the states of an industrial process,must be performed by a process engineer instead of a computerengineer.VI. PREDICTING CRITICALITY: CRITICALSTATE DISTANCEIn this section, we present a way of predicting whether thesystem is leading to a critical state. The method is based on thenotion of distance from critical states, capturing the concept of“critical state proximity.” Predicting criticality can be achievedby tracking changes of the distance between the current systemstate and the critical formulas. The state evolution monitor isused to track the current system state values, and the distance iscalculated using these values.1) State-State Distance: The distance notion is parametricwith respect to a metric on the system state space. Let d : Rn×Rn→ R+be any metric on Rn. In other words, let d be anynotion of distance between two system states. In this paper, twodistances are of particular interest:d1(s, t) =ni=1|si − ti| dv(s, t) = #{i|si = ti}.The distance d1 is also known in literature as the Manhattandistance. The distance dv counts the number of system com-ponents whose values differ among two states. In Example 1,d1 computes how close the water temperatures and the fanspeed are to critical values. Let s = (80, 4000) be a criticalstate. Let u = (40, 4000) and v = (70, 4000) be two states.Values d1(u, s) = 40 and d1(v, s) = 10 indicate that the statev is closer to s than u, i.e., u is more secure than v. Instead,the distance values dv(u, s) = 1 and dv(v, s) = 1 indicate thatu and v are equally distant from s. Indeed, only one systemcomponent (the temperature sensor) has a different value fromthe state s in both the states u and v. The actual choice of d1or dv depends on the notion of the criticality that has to becaptured. When only the number of critical system componentsmatters, the distance dv is more appropriate. When the actualvalue of system components is important in order to establishthe criticality of the system, then the distance d1 is moreappropriate.2) State-Critical States Distance: Given any distance func-tion on Rn(e.g., as d1 or dv defined in Section VI-1), the notionof distance between a state and a set of states can be defined asd(s, S) = inft∈S d(s, t).1This definition mimics the common sense of distance be-tween a point and a collection of points. The notion of distancebetween a system state and the set of critical states is defined byd(s, CS). It is crucial to stress that it is completely parametricwith respect to the metrics chosen on Rn.3) Distance Evaluation: In the following, the evaluation ofthe distance d(s, CS) defined in Section VI-2 is presented. Itis based on the representation of critical formulas based oninterval constraints.Computing the distance does not follow directly from itsdefinition. For an efficient implementation, it is necessary totake advantage of the shape of the set of critical states. Thelanguage of critical conditions implies that, for each rule condi-tion, the critical values for every component belong to intervals(bound or unbound) of real numbers. This information is usedfor computing the distance efficiently as follows.An interval constraint C = I1, . . . , In is a sequence of nintervals on R, where n is the number of system components. Aconstraint specifies a critical range for each system componentvalue. A system state s is critical w.r.t. a constraint C if andonly if for each i = 1 . . . n, the i-th system component valuesi ∈ Ii. Every critical formula φ can be represented as one ormore interval constraints. A set of constraints {C1, . . . Ck} isequivalent to the formula φ if for every state s satisfying φ,there exists at least one constraint Cj such that s is criticalw.r.t. Cj. Considering the Example 1, let φ = PLC[10.0.2.31 :502]. HR[1] = 50 be a critical formula. It is not possible tofind an interval constraint equivalent to φ. However, let C1 =[−∞, 49], [−∞, +∞] and C2 = [51, +∞], [−∞, +∞] be twoconstraints. The set of constraints {C1, C2} is equivalent to φ,indeed any state satisfying φ also satisfies C1 or C2, and viceversa.The notion of equivalent set of constraints is used as the basisfor implementing a feasible memory representation of criticalformulas. It is possible to scan a critical formula φ in order toeasily build an equivalent set of constraints. This is done onlyonce during the initialization phase of the firewall. Consideringthe Example 1, letφ =⎛⎝PLC[10.0.2.31 : 502].HR[1] ≥ 60,PLC[10.0.2.45 : 502].HR[1] < 5000PLC[10.0.2.31 : 502].HR[1] < 100⎞⎠ .Scanning the formula φ allows to collect the critical rangesfor each system component identifier and compute the fi-nal set of constraints equivalent to φ. In this case, the set1As standard in literature, the expression inf A, where A ⊆ R is a set ofreal numbers, denotes the greatest lower bound of A, i.e., inf A = max{x ∈R|∀y ∈ A.x ≤ y}. Moreover, inft∈S d(s, t) = inf{d(s, t)|t ∈ S} for anygiven s ∈ S.
  • 5. NAI FOVINO et al.: CRITICAL STATE-BASED FILTERING SYSTEM FOR SECURING SCADA NETWORK PROTOCOLS 3947of equivalent constraints contains only the constraint C =[60, 100], [−∞, 5000].Let {C1, . . . , Ck} be a set of constraints equivalent to acritical formula φ. The following equations hold:d(s, φ) = minki=1 d(s, Cj) (1)d(s, C = I1 . . . In) =ni=1d(si, Ii). (2)The distance d(s, CS) = minφ d(s, φ) can be calculated us-ing (1) and (2), implemented with nested iterations on theconstraints computed in the initialization phase and on theintervals of each constraint. Time complexity is linear inthe number of predicates occurring in the critical formulas.Equation (2) is parametric w.r.t. the actual distance used.Precisely, the function d(si, Ii) in the right-hand side of theequation stands for both d1 and dv. The following definitionsallow to easily implement the distance calculation algorithm:d1(x, I) =⎧⎨⎩x − sup I sup I ≤ xinf I − x inf I ≥ x0 otherwisedv(x, I) =1 x ∈ I0 x ∈ Iwhere inf I and sup I are, respectively, the lowest and thehighest endpoints of the interval I. Summarizing, in order tocalculate the distance d(s, CS) between a state and a set ofcritical states, using the Manhattan distanced1 or the discretedistancedv on R, it is sufficient to calculate a set of intervalconstraints equivalent to each critical formula during the ini-tialization phase. During the evolution of the system, both thecriticality of the current state and the distance from the criticalstates can be calculated implementing (1) and (2). The actualchoice of the dv or d1 depends on the chosen notion of distance.VII. OPERATIVE OVERVIEWIn this section, we present a high-level description of theprototype implementing the presented approach. The firewall,while analyzing the packets in search for known signatures,keeps updated a digital representation of the system physicalstate. The value of each component is tracked by a softwareobject reproducing a memory map representation of PLCs andMasters. The behavior of these virtual elements is managedon the basis of the following consideration: relying on theassumption that the control flow between Master and Slavescontains a compact representation of the evolution of thesystem, by analyzing this traffic, it is possible to maintainin the firewall memory a reasonable reproduction of the realsystem state. Moreover, to guarantee a tight synchronizationbetween the virtual system and the real system, the prototypecontains a master emulator for directly querying the PLCs ofthe monitored system. As just said, the firewall, when receivinga packet containing a SCADA command, updates the virtualsystem before forwarding the packet to the proper destination.This operation is equivalent to project the state of the systemone step in the future. If the virtual execution of a commandputs the virtual image of the system into a critical state, it willbe automatically blocked (or an alert will be raised dependingon the action of the corresponding rule). Moreover, by adoptinga particular metric presented in the previous section, it wouldbe possible to monitor the evolution of the system toward a setof different possible critical states, in order to raise an alert ifsome critical state is approaching. The rule analyzer is the coreof our firewall. It is in charge of monitoring the virtual system insearch of transitions to critical states. This is done by scanningthe updated virtual image and checking whether at least one ofthe critical state rules is triggered. Another relevant moduleof the proposed approach is the state controller (SC) in chargeof keeping updated the system virtual image by analyzingthe traffic between the process network and the field networkand changing correspondingly the system virtual image. Afterreading a SCADA packet sent from the master to a slave,the SC module takes note of all the writing functions (fromthe master to the slave) and of the reading responses (from theslave to the master) that are relevant for a system virtual imageupdate. Afterward, the SC module performs such update.VIII. TESTThe tests were carried out in our Testbed for IndustrialNetworking Security laboratory. This laboratory was createdthanks to a cooperative research activity with a prominentpower company. It is conceived to mimic the physical aspectsand the control architecture of a typical power plant. A complexelectromechanical device consisting of pipes, valves, sensors,pumps, etc., is used to physically emulate the different statesand thermodynamic processes of a power plant. Such a systemis directly connected, through the field network and the processnetwork, to the SCADA servers typically used to control realpower plants process networks. For the following tests, we haveused the Modbus over TCP protocol and PLCs of the ABBAC800 family.A. PerformanceNetwork performance and stability with respect to possibledelays are crucial for networked control systems [24], [25].In the following, we measured the performance in terms oflatency, distance analyzing time, system state update time, andmemory usage. It is not easy to find commonly agreed networkperformance requirements for SCADA systems in literature,particularly to find a threshold for network packet latency. In[27], Quiang et al. present the performance analysis of twocommunication architectures for the regional control of powerdistribution networks, an optimal architecture designed fromscratch using state-of-the-art technologies and an already inplace and old architecture. The network delays range from260 ms of the optimal solution to the 104msec of the worstcase. Su et al. [26] performed an analysis of the SCADAreliability on the basis of network performance. The analysisenables to identify the operation time needed to completeSCADA functions. The authors estimate that the transmissiontime may reach few hundreds of milliseconds without compro-mising its functionalities, both in average and in emergencystate. In [28], the same authors perform an analysis on theimpact of WAN performance on an energy distribution sys-tem with centralized and fully distributed models. Here, is
  • 6. 3948 IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 59, NO. 10, OCTOBER 2012Fig. 2. Communication latency with and without the critical state-basedfirewall.interesting to note how in emergency situation (e.g., conges-tion) the delays introduced fall in between 0.129 ms (fully dis-tributed model) and many seconds (centralized model). In thefollowing, we will take as reference all these results to measurethe impact of the proposed solution on the SCADA systemcommunication flow.1) Latency: Latency is the time required by the system tocomplete a single transaction. A Modbus transaction consists ofa Master request followed by a Slave answer. We implemented ascenario for measuring the latency introduced by the FW, withfour Masters connected to 16 PLCs. Each PLC is configuredwith at least 100 different analog and digital IO. The firewall isconfigured with 2000 rules.Fig. 2 shows the latency in a TCP Modbus transactionmeasured in two different scenarios: 1) in a network withoutany element in between the masters and the slaves and 2) ina network with the critical state-based firewall in the middle.The test has been repeated several times varying the networkcongestion. The delay introduced by the firewall is under 2 ms.Considering the data presented in [26], [27] and [28], theoverhead introduced by our firewall prototype is two order ofmagnitude lower than this value. Thus, we consider it negligibleand satisfactory.2) Distance Performance: The computation of the distanceof the actual state of the system from a set of candidate criticalstates might be computationally expensive. To analyze the costof this operation, we performed three separated tests.1) Predicates Test: The rule set is composed of onlyone critical formula which has a variable number ofpredicates (up to 2000) related to the same systemcomponent.2) System Components Test: The rule set contains onlyone critical formula which has a variable number ofpredicates (up to 2000) related to different systemcomponents.3) Rules Test: The rule set is composed of a variable numberrules (up to 2000).The results are shown in Table I for the three parts of thetest. All tests confirm that the time required for calculatingthe distance is linear with the number of predicates. In test 1,the time elapsed for calculating the distance [Table I(a)] isnegligible, considering also that a list of 2000 predicates fora single system component is improbable. In test 2, the timespent for calculating the distance [Table I(b)] is lower than 6 mswhich is a good result. In test 3, the time needed for calculatingrule distances [Table I(c)] is relatively high, but the growth islinear, and the maximum time is less than 60 ms for a numberFig. 3. System state update performance test (time in milliseconds).of rules up to 2000. Thus, the performance is still good becausedistance calculation is not used for blocking commands but onlyfor raising alerts, i.e., it does not introduce any delay in theSCADA traffic flow.3) System State Update Performance: The SC module of thefirewall updates the virtual image of the system in two steps: itfinds the PLC related to the content of the packet under analysis,and then it updates the memory representation of the value ofthat PLC. It is crucial to evaluate the performance of updatingoperations. The following test was used for checking the timeneeded for updating the PLC information: the Master Stationsends 1000 requests with the command “Read n coils,” theSlave Station answers with responses that contain the n values,and the SC module between the master station and the slaveanalyzes the request/response transactions and updates the nvalues in the memory representation of the PLC.The results prove the validity of the proposed approachbecause even in the worst case, i.e., 2000 coils to update (maxi-mum value allowed according to the Modbus specification), thetime performance of the firewall is lower than 1 ms, a negligiblevalue with respect to those of reference. In addition, the elapsedtime increases with the number of coils to update in a linear wayas shown in the graph in Fig. 3.The evaluation of memory performance follows. Two datastructures with a considerable size in the critical state firewallare: the Virtual System Image and the Rules Representation.The Virtual System Data Structure is a hash table identifyingeach PLCs with a unique key. The amount of memory requiredfor each PLC object increases linearly with the number ofregisters into the PLC. The required memory for the entireVirtual System increases linearly with the number of PLC inthe system. Table II(a) shows the memory usage for each PLC,and Table II(b) shows the memory usage for a Virtual Systemcontaining PLCs composed of 65 535 registers (maximumvalue allowed according to the Modbus specification). Thegrowth is linear, and a Virtual System composed of 1000 PLCsrequires less than 400 Mbytes of memory. The other importantdata structure is used to represent the “Signature Based andCritical State Based Rules.” This data structure is a list oflists where each sublist represents a rule. The required memoryfor each rule increases linearly with the number of conditionsinto the rule, and the required memory for the entire rule setincreases linearly with the number of rules.4) Memory Usage Performance: Table III(a) shows thememory usage for each rule, and Table III(b) shows the mem-ory usage for an entire set of rules (from 1 to 2000 rules,each rule composed of four conditions). In both cases, thegrowth is linear, and a set of 2000 rules requires less than600 Kbytes.
  • 7. NAI FOVINO et al.: CRITICAL STATE-BASED FILTERING SYSTEM FOR SECURING SCADA NETWORK PROTOCOLS 3949TABLE IDISTANCE ANALYZER PERFORMANCE TESTTABLE IIVIRTUAL SYSTEM MEMORY USAGETABLE IIIRULE REPRESENTATION MEMORY USAGEB. Firewall Accuracy TestA relevant parameter to be taken into consideration whenevaluating a filtering technique is its accuracy, i.e., how gooda binary classification test correctly identifies or excludes acondition (in our case, the occurrence of a critical state).Accuracy is commonly measured in terms of false positivesand false negatives, i.e., considering how many licit pack-ets are blocked and how many attacks are not identified.In this section, the accuracy of the firewall is evaluated us-ing the same environment used for estimating the latencyperformance.We set up the following experiment: a data set was createdby collecting private traffic data in our laboratory model for15 days. The data set is made of standard SCADA trafficreflecting normal industrial activities, plus traffic generated bysimulating random malicious attacks targeting critical states.Since the proposed approach is intended as an additional featureto be added to existing firewalls, in order to detect the particularclass of attacks based on the use of chains of licit SCADAcommands, we evaluated its accuracy against such family of at-tacks. It is worth noting that the traffic congestion performanceaffects the accuracy of the firewall. In fact, in cases of highnetwork congestion, the virtual system image might be slightlydifferent from the current system state due to packet loss. Whenthat happens, critical state rules are evaluated against a notFig. 4. Day-by-day false positive and negative results.fully consistent system state, resulting in a degradation of theaccuracy. To capture this aspect, we randomly injected burstsof traffic activity with high bandwidth rates. Fig. 4 provides aclear picture of the number of licit packet blocked and attacksmissed per day. We remark that accuracy here refers to thespecific class of attacks (those composed by licit chains ofSCADA commands driving the system into a critical state), forwhich the critical state base approach has been designed. It isrelevant to note how, even considering that the tests have beenperformed using a simple home-made firewall prototype, thegeneral performance is good.IX. CONCLUSIONThe connection of industrial systems to the public networkhas introduced new security problems in an environment tradi-tionally critical, and ICT security countermeasures are not ableto completely protect such systems. This paper presents a newnetwork filtering approach for the detection and mitigation of aparticular class of cyberattacks against industrial installations.This technique is based on monitoring the evolution of the stateof the protected system and on the analysis of the commandpackets between master and slaves of a SCADA architecture.The key elements of this technique are the concept of criticalstate and the observation that an attacker, in order to damage anindustrial system, will have to modify its state from secure tocritical. The critical state validation, normally hardly applicablein traditional ICT systems, finds its natural application in theindustrial control field, where the critical states are generallywell-known and limited in number. Moreover, the introductionof the concept of critical state distance allowed to extend thefirewall features in the direction of a more complete earlywarning system. The results of the tests conducted on a pro-totype implementing the described approach demonstrated thefeasibility and validity of the proposed method. This approachpresents some advantages with respect to traditional filteringtechniques: 1) Since the network filtering is applied on the basisof the system evolution (something known) and not on the basis
  • 8. 3950 IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 59, NO. 10, OCTOBER 2012of the attack evolution (something unknown), for predefinedcritical states, this approach allows to block also “zero dayattacks,” i.e., attacks based on unknown techniques. 2) Thenumber of false positives results limited since the traffic isdropped only if the analyzed command will drive the systeminto a described critical state. There are only two cases inwhich we can have false positives or false negatives: the casein which a critical state has not been described (and this is anerror performed by who configured the firewall rules) or if thereal system and its virtual image are desynchronized (and thisis due eventually to an error in the configuration of the auto-synchronization time between the real system and the virtualsystem). On the other hand, this technique, being conceived toprotect strictly the SCADA devices, cannot protect from moretraditional ICT attacks such as virus attacks to general purposeICT systems, etc. For that reason, we see the critical state-based filtering as a technique complementary to the traditionalfirewall techniques, helping in enhancing the security of thesesystems. The configuration of the ruleset is not cheap in termof effort. However, to facilitate this process, we are planning todevelop a self-discovery engine able to automatically learn theconfiguration of the system to be protected. Moreover, for thefuture, we are planning to conduct a more extended campaignof tests on real production systems.REFERENCES[1] R. A. Gupta and M. Y. Chow, “Networked control system: Overview andresearch trends,” IEEE Trans. Ind. Electron., vol. 57, no. 7, pp. 2527–2535, Jul. 2010.[2] G. Dondossola, M. Masera, I. Nai Fovino, and J. Szanto, “Effects ofintentional threats to power substation control systems,” Proc. IJCIS,vol. 4, no. 1/2, pp. 129–143, 2008.[3] I. Nai Fovino, M. Masera, and R. Leszczyna, “ICT security assessment ofa power plant, a case study,” in Proc. 2nd Int. Conf. Critical InfrastructureProtect., Arlington, VA, Mar. 2008.[4] A. Carcano, I. Nai Fovino, M. Masera, and A. Trombetta, “ScadaMalware, a proof of concept,” in Proc. 3rd Int. Workshop Critical Inform.Infrastructures Security, Rome, Italy, Oct. 2008.[5] T. Novak and A. Gerstinger, “Safety-and security-critical services inbuilding automation and control systems,” IEEE Trans. Ind. Electron.,vol. 57, no. 11, pp. 3614–3621, Nov. 2010.[6] W. Granzer, F. Praus, and W. Kastner, “Security in building automationsystems,” IEEE Trans. Ind. Electron., vol. 57, no. 11, pp. 3622–3630,Nov. 2010.[7] A. A. Creery and E. J. Byres, “Industrial cybersecurity for power systemand SCADA networks,” IEEE Ind. Appl. Mag., vol. 13, no. 4, pp. 49–55,Jul./Aug. 2007.[8] R. Chandia, J. Gonzalez, T. Kilpatrick, M. Papa, and S. Shenoi, “Securitystrategies for Scada networks,” in Proc. 1st Int. Conf. Crit. InfrastructureProtection, Hanover, NH, Mar. 19–21, 2007.[9] M. K. Mahmood and F. M. Al-Naima, “Developing a multi-layer strategyfor securing control systems of oil refineries,” Wireless Sens. Netw., vol. 2,pp. 520–527, Jul. 2010.[10] I. H. Lim, S. Hong, M. S. Choi, S. J. Lee, T. W. Kim, S. W. Lee, andB. N. Ha, “Security protocols against cyber attacks in the distributionautomation system,” IEEE Trans. Power Del., vol. 25, no. 1, pp. 448–455,Jan. 2010.[11] T. Mander, F. Nabhani, L. Wang, and R. Cheung, “Data object basedsecurity for DNP3 over TCP/IP for increased utility commercial aspectssecurity,” in Proc. Power Eng. Soc. Gen. Meeting, Tampa, FL, Jun. 24–28,2007, pp. 1–8.[12] M. Roesch, “Snort-lightweight intrusion detection for networks,” in Proc.13th Syst. Admin. Conf. LISA, Seattle, WA, 1999, pp. 229–238.[13] Last access 9/04/2009. [Online]. Available: http://www.digitalbond.com/index.php/research/ids-signatures/modbus-tcp-ids-signatures/[14] P. Gross, J. Parekh, and G. Kaiser, “Secure selecticast for collabo-rative intrusion detection systems,” in Proc. Int. Workshops DEBS, 2004,pp. 50–54.[15] V. Yegneswaran, P. Barford, and S. Jha, “Global intrusion detectionin the DOMINO overlay system,” in Proc. 11th ANDSSS Conf., 2004,pp. 120–137.[16] F. Cuppens and A. Miege, “Alert correlation in a cooperative intrusiondetection framework,” in Proc. Security Privacy, 2002, pp. 202–215.[17] I. Nai Fovino and M. Masera, “A service oriented approach to theassessment of infrastructure security,” in Proc. 1st Annu. IFIP Work-ing Group 11.10 Int. Conf. Crit. Infrastructure Protection, DartmouthCollege, Hanover, NH, Mar. 19–21, 2007, pp. 367–379.[18] I. Nai Fovino and M. Masera, “Emergent disservices in interdependentsystems and system-of-systems,” in Proc. IEEE Conf. Syst., Man Cybern.,Taipei, Taiwan, Oct. 2006, pp. 590–595.[19] M. Masera and I. Nai Fovino, “Models for security assessment and man-agement,” in Proc. Int. Workshop Complex Netw. Infrastructure Protect.,2006, pp. 1–12.[20] I. Nai Fovino and M. Masera, “Modelling information assets for securityrisk assessment in industrial settings,” in Proc. 15th EICAR Annu. Conf.,Hambourg, Germany, 2006, pp. 137–149.[21] R. Isermann, “Supervision, fault-detection and fault-diagnosis methods—An introduction,” Control Eng. Pract., vol. 5, no. 5, pp. 639–652,May 1997.[22] R. Isermann, “Process fault detection based on modelling and estimationmethods—A survey,” Automatica, vol. 20, no. 4, pp. 387–404, Jul. 1984.[23] P. M. Frank, “Advanced fault detection and isolation schemes usingnon linear and robust observers,” in Proc. 10th IFAC Congr., Munich,Germany, 1987, vol. 3, pp. 63–68.[24] K. Natori and K. Ohnishi, “A design method of communication distur-bance observer for time-delay compensation, taking the dynamic propertyof network disturbance into account,” IEEE Trans. Ind. Electron., vol. 55,no. 5, pp. 2152–2168, May 2008.[25] A. Onat, T. Naskali, E. Parlakay, and O. Mutluer, “Control over imper-fect networks: Model based predictive networked control systems,” IEEETrans. Ind. Electron., vol. 58, no. 3, pp. 905–913, Mar. 2011.[26] C.-L. Su and Y.-C. Chang, “A SCADA system reliability evaluationconsidering performance requirement,” in Proc. Int. Conf. Power Syst.Technol., Singapore, 2004, pp. 574–579.[27] Y. Quiang, J. A. Barria, and C. A. H. Aramburo, “A communicaton systemarchitecture for regional control of power distribution networks,” in Proc.7th IEEE Int. Conf. INDIN, 2009, pp. 372–377.[28] C. L. Su, C. N. Lu, and M. C. Lin, “Wide area network performance studyof a distribution management system,” in Proc. Transm. Distrib. Conf.,Apr. 11–16, 1999, vol. 1, pp. 136–141.Igor Nai Fovino received the Ph.D. degree in computer science in March 2006.He is the Head of the Research Department of the Global Cyber SecurityCenter, Rome, Italy. His main research activities are related to Secure Protocols,Intrusion Detection, Malware, Critical Infrastructure Protection. In these fields,he is author of more than 60 peer-reviewed papers published on internationaljournals and conference proceedings.Alessio Coletta received the M.S. degree in computer science, he previouslyworked as scientific officer at the JRC of the European Commission andcurrently works at Global Cyber Security Center, Rome, Italy, on researchactivities on ICT and Industrial Security, Malware, and Critical InfrastructureProtection.Andrea Carcano received the Ph.D. student in computer science at the InsubriaUniversity, Varese, Italy. He is studying computer security in distributed system,industrial protocols, and intrusion detection.In this field, he is author of seven papers.Marcelo Masera received the M.S. degree in electric engineering, he possessesa background in electronics and electrical engineering, with 25 years ofprofessional experience in the field. He has been a scientific officer of theEuropean Commission at the Joint Research Centre since 2000.Dr. Masera is the Head of the Energy Security Unit of the JRC-Institute forEnergy.