9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
Â
07 analysis of scada security models
1. International Management Review Vol. 3 No. 2 2007
68
Analysis of SCADA Security Models
Sandip C. Patel
Department of Information Sciences & Systems
Morgan State University, Baltimore, Maryland, USA
Yingbing Yu
Division of Natural and Mathematical Sciences
LeMoyne-Owen College, Memphis, Tennessee, USA
[Abstract] Supervisory control and data acquisition (SCADA) networks control the critical
infrastructure of many countries. The lack of security in the SCADA networks has caused an
urgency to upgrade existing systems to withstand hostile attacks. When new security models
are proposed to enhance security of SCADA systems, the models have to be tested to verify
that they provide the intended security. In this research, vulnerability and threat analyses are
presented as effective methods for testing new SCADA security models. We illustrate the use
of these methods on two security models for enhancing SCADA communication protocol.
[Keywords] SCADA; security models; DNP 3; threat evaluation; vulnerability Analysis
Introduction
Supervisory control and data acquisition (SCADA) networks are used by industrial sectors
and critical infrastructure utilities to carry data on electricity, water, oil, and gas. A SCADA
system is a common process automation system that helps gather field data from sensors and
instruments, transmit and display this data at a central site, and send control messages to the
field devices. That is, SCADA networks enables receiving such data from remote field
devices and sending control messages to remote devices from a control station. The field data
is usually viewed on one or more SCADA host computers, referred as the master terminal
units or MTUs, located at the central or master site. Real- world SCADA MTUs can monitor
and control several hundred field devices known as remote terminal units or RTUs. In
addition to infrastructure utilities, SCADA networks are also used in industrial process plants,
such as steel production, power generation (conventional and nuclear) and distribution, and
nuclear fusion. The size of such plants ranges from a few thousand to several thousand
input/output (I/O) channels. However, SCADA systems evolve rapidly and are now
penetrating the market of plants with I/O channels of up to several hundred thousand.
The reliability of operations of modern infrastructures and many critical industries depends
heavily on SCADA networks. SCADA disruptions can directly and indirectly affect many
different infrastructures, impact large geographic regions, and send ripples throughout the
national and global economy. Cyber interdependencies are a result of the pervasive
computerization and automation of infrastructures (Rinaldi et al., 2001). For example, the
disruption of the electric power infrastructure disrupts fuels (natural gas and petroleum),
which, in turn, disrupts, transportation, water, banking and finance, and telecommunication.
2. International Management Review Vol. 3 No. 2 2007
69
The architecture of a SCADA system consists of one or more MTUs that are used by
engineers in a control station to monitor and control a large number of RTUs. An MTU is a
midrange computer running SCADA utility programs. RTUs are generally small dedicated
devices with some processing power, designed for rough field or industrial environment. One
or more SCADA MTUs retrieve real-time analog and status data from RTUs, store, and
analyze these data. MTUs automatically send control commands to the RTUs or enable the
engineers to do so manually. The modern SCADA control systems lack security and are very
vulnerable to cyber attacks (Byres, Hoffman, and Kube, 2006).
Modern SCADA networks, integrated with corporate networks and the Internet, have become
far more vulnerable to unauthorized cyber attacks. By sending a false control message, an
unauthorized intruder for example, can manipulate traffic signals, electric-power switching
stations, chemical process-control systems, or sewage-water valves, creating major damage to
public safety and health. Risk management is a decision-making process and a phase in the
life cycle of information security management (Conklin et al., 2004). It is an iterative process
to manage risk, identify the threats, and determine what could happen to an organization if the
threats were to happen, and then analyze what can be done to control the impact. As a result
of risk management process, one or more security models are proposed. These models need to
be evaluated for their correct functionality. In the proposed research, we take the two security
models presented in Patel, S. C., and Graham, J. H., 2005.
Security Models of SCADA
The transmission of data and control commands between an MTU and an RTU, referred to as
SCADA communications, is carried over a variety of media, including Ethernet, corporate
frame relay, fiber channel, CDPD cellular systems, microwave signals, direct satellite
broadcast, and many licensed or unlicensed radio systems, as show in Figure 1. The most
common protocols used for the communication are IEC (International Electrotechnical
Commission) 60870-5-101, Distributed Network Protocol or DNP3 (DNP3 Web), and
Modbus. The IEC and DNP3 protocols provide more functionality than Modbus and are used
for higher data volumes. IEC protocols dominate the market in Europe, whereas DNP is a
major market player in North America (Makhija and Subramanyan, 2003). DNP3 protocols
are also widely used in Australia and China.
Two DNP3 security models, based on initial work by the DNP3 User Group, were proposed in
(Hieb, J.L., Graham, J.H., and Patel, S.C., 2007; Patel, S. C., and Graham, J. H., 2005; Patel,
S. C., 2006; Graham, J. H., Mostafa S., et al., 2007). They are described in the next two
subsections, and the analyses are presented in sections 3 and 4.
Model 1: Authentication via Digital Signatures
In this model, the digital signatures are used with cryptographic checksums (secure hash).
The sender of the message (typically an MTU) calculates a hash digest on an input stream that
consists of the timestamp added to a part of the message that is intended to be sent. A hash
digest is a unique number for a supplied input stream. The sender encrypts this digest using its
private key and then sends the message with the encrypted digest. The receiver of the message
(typically an RTU) decrypts the hash digest using the senderâs public key so that the receiver
3. International Management Review Vol. 3 No. 2 2007
70
can retrieve the hash digest. If the receiver can successfully decrypt the message, the
authenticity of the sender is proven. The receiver also calculates the hash digest on the input
steam consisting of the part of the message it received and the timestamp. The receiver
compares this digest with the one that it received with the message. If the digest values match,
the receiver concludes that the message contents have not been altered by an intruder.
This security model was designed to protect against the threats of reply, spoofing, and
modification attacks. Since the message travels in plaintext, this model does not protect the
message from eavesdropping. However, the eavesdropper does not pick up any valuable or
secret information. For SCADA networks, this threat is not a concern since the values sent by
MTU could be a control value such as new valve position or water-tank level.
Figure 1. SCADA Architectural Components
Model 2: Authentication via Challenge Response
This model is designed to verify the identity of two communicating devices (MTU or RTU).
Any of the communicating devices could verify the other device. Typically, an RTU would
verify an MTU when the RTU receives a request to establish a connection, or at random time
intervals after the connection has been established, or when it receives an atypically control
value from an MTU. An MTU would typically verify an RTU when the MTU receives an
atypical field value or at random time intervals. This model is designed to protect against the
man-in-the-middle attack.
4. International Management Review Vol. 3 No. 2 2007
71
In this model, the participating MTU and the RTU share a secret value, typically a few bytes
long. When a device wants to verify whether the other device is authentic, it sends a random
and unpredictable number as a challenge. The responding device adds the pre-shared secret
bytes to the challenge, calculates the hash digest, and sends the digest as a response. The
challenging device knows what the digest value should be, since it has both the challenge and
the secret, which are necessary to calculate the right value. Thus, the challenging device can
verify if the response is correct.
Threat Evaluation of SCADA
Misuse IDSs (knowledge-based or signature-based) look for specific patterns that define a
known attack. The information about known attacks and vulnerabilities of the system is
encoded into a âsignature.â Any actions on the system that trigger the match are reported as
âattemptsâ of intrusion. Signatures are patterns related to known attacks or misuse symptoms
and are useful in the specification of the features, conditions, arrangements, and
interrelationships among events that lead to an intrusion. They may be simple as in the case of
character string matching looking for a single term or command or complexes of state
transition written in a formal mathematical expression. Most virus detection programs are
examples of misuse detection. Another widely used method is to analyze user keystroke
patterns to monitor matches specific keystroke sequences indicating an attack entered by a
user. Typing biometrics is the analysis of a user's keystroke patterns. Each user has a unique
way of using the keyboard to enter a password.
Threat analysis can show that a proposed model has a potential to guard against the attacks,
which are threats to SCADA. Specifically, the analysis verifies if the intened attacks can be
prevented by a model. We performed the threat analysis by taking each threat and analyzing
how it would be prevented by the cryptographic components of the proposed models.
The following threat analysis scrutinizes the model to verify that it works as intended
(provides desired protection from attacks). Analyses of various threats showed that the
proposed models had a potential to guard against the attacks that are threats to SCADA.
Threat analysis is a comprehensive model-analysis that considers both the models together.
The modification and spoofing attack analyses described below refer to protection provided
by digital signature authentication. The man-in-the-middle attack and non-repudiation
analyses below refer to protection from challenge response authentication. The replay attack
analysis refers to both of the authentication methods (first, digital signature and then
challenge-response authentication). The specific threat analyses are as follows:
Modification attack: An intruder may try to intercept a message, such as a status request by an
MTU, and modify it with another message, such as a control message asking to switch on a
circuit breaker. The intruder will not succeed in doing so because the hash digest, which is
attached with the message, contains a part of the message. So, when the intruder changes the
message, the old hash value will no longer be valid. If the intruder calculates a new hash value,
he/she cannot sign (encrypt) the message, since signing requires senderâs private key, which
the intruder does not have.
5. International Management Review Vol. 3 No. 2 2007
72
⢠Spoofing: An intruder may try to impersonate an MTU, sending a control message to
an RTU. However, the intruder cannot succeed, since he/she cannot sign the message
with a valid private key. When the receiving RTU tries to decrypt the message using
MTUâs public key, it wonât be able to do so and will discard the message.
⢠Man-in-the-middle attack: The challenging party sends a challenge that is unique and
random each time. So, the intruder cannot reuse an old hash value (that he/she might
have received as the man-in-the-middle) to pretend an authenticated party. If there is
the authenticated party trying to launch the man-in-the-middle attack, the challenge-
response authentication will eliminate such attacks at the beginning of the session,
since this authentication is performed while connections are established. Also, since
the authentication is also performed at random intervals, it will eradicate those attacks
that succeeded past the challenge-response authentication at the beginning of the
session. In any case, all control messages are guarded with challenge-response
authentication as an additional safe guard.
⢠Non-repudiation: A digital signature provides the service of non-repudiation. If the
sender (MTU) claims that it never sent the message, it could be pointed out that it
signed the message with its private key. Unless the private key is stolen, nobody else
but the MTU would know this key. However, this service may not be of much
importance to SCADA considering that the purpose of its communications is between
an RTU and an MTU and not for the commercial uses.
⢠Replay attack: An intruder may try to intercept a message or a command and try to
replay it back later. However, the receiver will probably reject the message because
the message will have incorrect nonce (a parameter that varies with time) or incorrect
timestamp. The intruder cannot get or change the nonce value since the hash digest is
encrypted. Generally, replay without modification does not pose big security threats to
SCADA communications. Replay of SCADA control command is additionally
guarded with challenge-response authentication.
⢠Eavesdropping: An intruder may tap a communication channel or intercept a message
to listen to the communication between an RTU and an MTU. This threat is not an
issue with SCADA because the intruder picks up data at the protocol level but does not
get any valuable information that he/she can use to launch an attack or steal as
valuable commercial information. The intruder cannot get the hash digest value in the
digital signature model because it is transmitted in an encrypted form. The intruder
cannot get the shared secret in the challenge response authentication because it is
never transmitted over the line.
Vulnerability Analysis of SCADA
The goal of anomaly intrusion detection is to detect new or unknown attacks against a
computer system, which can be done in a number of ways, such as monitoring network
activities, monitoring user or system level behavior. The most significant advantage of
anomaly detection is the ability to detect novel attacks against software, variants of known
6. International Management Review Vol. 3 No. 2 2007
73
attacks, and deviations from normal usage of programs, regardless of whether the source is a
privileged internal user or an unauthorized external user. For example, by establishing
âprofilesâ of typical user activities (such as login time, number of failure logins, CPU usage,
etc), an IDS can monitor current user activities and compare with established profiles.
Whenever a large deviation beyond a predefined threshold is detected, it is reported to as the
possible intrusions.
The vulnerability analysis answers questions as to why and how the model will work. Various
threats are identified. Each threat is then analyzed by constructing various scenarios revealing
what an intruder can do. Scenarios include various attacks that an intruder can launch with
information, such as
⢠Types of attacks an intruder can launch (for example, brute-force attack and bypass
attack).
⢠The steps necessary to launch an attack.
⢠What types of information the intruder can originally have.
⢠What type of information the intruder can gather to improve his/her subsequent attacks.
⢠Attacks that can be launched combining two or more attacks and information gathered
by an intruder from each attack.
⢠Prioritizing SCADA risks. That is, what would be consequences of an attack and
(what an intruder can achieve) and what would it mean to SCADA security risks in
terms of result of such an attack.
Vulnerability analyses performed on security models later can be used once code is written
and more implementation-information is available. For example, the information, such as
maximum, minimum, and average number of tries it would take an intruder to successfully
attack (break) the system, can be obtained from the type of the encryption algorithm used.
Based upon such information, the plausibility of each of the attacks can be considered. If one
or more attacks are estimated to be likely or possible with improvement in technology over
time, the vulnerability analysis would indicate that the model must be revised. The following
sections demonstrate the use of vulnerability analysis on the two security models by
examining what an intruder can and cannot do. The analysis described below answers
questions as to why and how a model will work.
Vulnerability Analysis of Model 1: Digital Signature
To calculate a hash value, data such as DNP3 application layer header, output object header
and data, timestamp, nonce, hash method (e.g., SHA-1), and length fields of the message
fragment were used (Hieb, J.L., Graham, J.H., and Patel, S.C., 2007; Patel, S. C., and Graham,
J. H., 2005; Patel, S. C., 2006.; Graham, J.H., Mostafa S., et al., 2007). This hash value is
encrypted with an MTUâs private key. When an RTU receives the message, it uses the MTUâs
public key to decrypt it. When the RTU decrypts the message successfully, it can conclude
that the message came from an authentic MTU, since the MTU must have âsignedâ
(encrypted) the message with its private key that only the MTU has. This would provide an
RTU with the assurance that the message came from an authenticated MTU. Notice that in
this model, it was chosen not to encrypt the message itself because encryption takes much
processing time. Therefore, the receiver must verify that the contents of the message were not
7. International Management Review Vol. 3 No. 2 2007
74
altered by an intruder who could be in the middle. The integrity of the contents of a message
are verified by matching the hash digest that came with the message to the one independently
calculated by the RTU. It is possible for an intruder to read the message, since it is not
encrypted. It is also possible for the intruder to decrypt the hash, since he/she can get the
public key that is required to decrypt it. The intruder can also try to calculate a new hash
value.
However, the intruder cannot do much with all this information, since he/she does not have
the private key, which is required to properly encrypt the new hash digest that is needed if
he/she tried to change the message. If the intruder sends the message encrypted without the
MTUâs private key, then, upon receiving the message, when the RTU tries to decrypt it using
the MTUâs public key, it wonât be able to do so because the MTUâs public key works only on
the messages encrypted with the MTUâs private key. Consequently, the RTU will find that the
message was sent from an unauthentic source. An additional security guard is a time stamp
that would verify that the time of reception does not vary from the time of transmission by a
given amount, giving the intruder as little time as possible even if he/she succeeds in faking
the rest of the values.
Vulnerability Analysis of Model 2: Challenge-Response Model
This authentication method depends upon a "secret" known only to the authenticator and that
peer. Although the challenge is random (but unique and unpredictable), the response depends
upon the challenge and a secret key added to the stream passed for hashing. The response
value is the one-way hash calculated over a stream of octets consisting of an identifier (a field
that changes every time), followed by the "secret," followed by the challenge value. The
length of the response value depends upon the hash algorithm used (e.g., 16 octets for MD5).
The secret is not sent over the link. Even if the intruder tries to pretend to be a challenger or a
responder, he/she will not have the secret needed to calculate a correct hash value. Since the
challenge is unique (different every time), the intruder cannot use an old hash value that
he/she might have intercepted by eavesdropping.
Challenge-response provides protection against replay attack by the peer. That is, an attack
from another RTU using data from challenge-response between an RTU and an MTU is
prevented through the use of an incrementally changing identifier and a variable challenge
value. Since the authenticator is in control of the frequency and timing of the challenges, it
can use repeated challenges for enhanced security, since such challenges can limit the time an
intruder has for an attack.
This model can work successfully with only one set of secrets. In other words, it is not
necessary to have a set of secrets for a challenger and another set of secrets for the responder.
The vulnerability analysis successfully scrutinized both the models to verify that they worked
as intended. That is, the analysis proved that the models provided the desired protection from
attacks.
Security Experimental Test-bed
The test-bed (Figure 2) consists of one MTU that communicates with seven RTUs. Four RTUs
8. International Management Review Vol. 3 No. 2 2007
75
are locally installed at the Intelligent Systems Research Lab at the University of Louisville
and connected to the MTU with an Ethernet LAN infrastructure. The test-bed also has a WAN
connection to an RTU located at Western Kentucky University. There are two actual SCADA
systems in the Chemical Engineering Department at the University of Louisville to which the
test bed is also connected. The Process Control Lab contains a simple level control system
and the Unit Operations Lab contains a large binary distillation column.
Both systems use a PC and GE Fanuc iFIX⢠SCADA / HMI software for process monitoring
and control. RTUs are running a DNP 3 communication driver to communicate and exchange
data with the MTU. Also, for each RTU, an intrusion detection sensor Snort is installed to
monitor the traffic going in and out with the RTU. The remote RTU is connected to the
SCADA system using the Internet. Attacks were simulated using two methods. The wireless
access points installed in the University of Louisville gives the user direct access to the
University Ethernet infrastructure. The other method was to attack the system is externally
using the Internet.
Figure 2. Experimental SCADA Test-bed
9. International Management Review Vol. 3 No. 2 2007
76
Conclusion
This paper has discussed various aspects of the security of SCADA communication protocols.
Two security models have been verified for correctness by threat and vulnerability analyses.
Threat analyses considered various attacks such as replay and spoofing and explicated how
the proposed models guarded against these attacks. Vulnerability analyses examined intrusion
tactics such as those by using brute-forcing and bypassing attack, and explained how the
security models prevented an intruder from deploying the attacks successfully. The analyses
indicated that the use of these security models in SCADA communications can significantly
reduce the vulnerability of these critical systems to malicious cyber attacks, potentially
avoiding the serious consequences of such attacks.
References
Byres, E.J., Hoffman, D., & Kube, N. (2006). On Shaky Ground â A Study of Security
Vulnerabilities in Control Protocols. Proceedings of the 5th American Nuclear Society
International Topical Meeting on Nuclear Plant Implementation, Controls, and
Human Machine Interface Technology, American Nuclear Society, Albuquerque, NM,
November, 2006.
Conklin W. M. A., White, G..B., Cothren, C., Williams, D., &Davis, R.L. (2004). Principles of
Computer Security: Security and Beyond. McGraw Hill Technology Education,
Boston, Massachusetts.
DNP3 Web home-page, http://www.dnp.org/
Graham, J. H., Mostafa S., Arazi, B., Tantawy, A., Hieb, J., Ralston, P., & Patel, S. (2007).
Improvements in SCADA and DCS systems security. Proceedings of International
Conference on Computers and Their Applications, Honolulu, Hawaii, March 28-30,
pp.194-200.
Graham, J. H., & Patel, S.C. (2005). Correctness Proofs for SCADA Communication
Protocols. Proceedings of the 9th
World Multi-Conference on Systemics, Cybernetics
and Informatics, Orlando, FL, July 10-13, pp.392-397.
Hieb, J.L., Graham, J.H., & Patel, S.C. (2007). Cyber Security Enhancements for SCADA and
DCS Systems. Critical Infrastructure Protection: Issues and Solutions, Springer.
Makhija, J., & Subramanyan, L.R. (2003). Comparison of protocols used in remote
monitoring: DNP 3.0, IEC 870-5-101 & Modbus. M. Tech Report, Indian Institute of
Technology, Bombay, India.
Patel, S. C. (2006). Secure Internet-Based Communication Protocol for SCADA Networks,
Doctoral Dissertation, University of Louisville, Louisville, Kentucky, USA.
Rinaldi, S.M., Peerenboom, J.P., &Kelly, T.K. (2001). Identifying, Understanding, and
Analyzing Critical Infrastructure Interdependencies. IEEE Control Systems, Vol. 21,
No. 6, pp.11-25.