Autonomic Critical Infrastructure Protection (ACIP)

Overview

Vulnerabilities to SCADA systems are numerous; Cyber attacks, malicious privileged insiders, operator error, equipment failure. In order to protect data, insure reliable operation, and ultimately protect human life, these systems need a high degree of defense against multiple threat vectors. When a SCADA system is being designed and deployed, security and reliability need to be the primary concerns. Any of the possible threat vectors can cause equipment damage, incur economic losses, or even loss of life.

We are working on designing SCADA systems with high security and high fault tolerance. The systems will be designed using multiple levels of protective components. Autonomic systems will be employed in order to increase security, fault tolerance, system down time, and reduce economic impacts. Autonomia shall be used to provide data and control validation components. The goal is to create a testbed that can run a SCADA system by using a set of components (hardware and software tools) and methodologies that can be deployed to develop ways to protect and secure SCADA protocols such as Modbus and DNP3.

Project Goals

- Develop detection capabilities for detecting malicious cyber attacks and/or physical threats.

- Characterize current state of SCADA Systems and perform risk and impact analysis.

- Develop mechanisms to minimize and recover from any type of cyber and physical attacks.

- Build a SCADA testbed to experiment with, evaluate and demonstrate our ACIP system.

- Validate the tools being developed in real environment.

Figure 1: SCADA Testbed

New SCADA system has been implemented, but has not active process control beyond monitoring the state of inputs and driving the outputs of several PLCs. Many tools were used to develop this testbed: servers, switches, routers PLCs (Siemens, Allen Bradley, ABB), etc. Wonderware was used as the commercial software for the SCADA testbed. Figure 1 shows the testbed developed in the ACL at the University of Arizona. As mentioned before, the ASPS was renamed into ACIP and has been placed between SCADA zones as shown in figure 2:

- Enterprise Zone: It represents an administrative business network.

- Demilitarized Zone (DMZ): A set of machines that models a small network between the organization private network and the outside to prevent any direct access.

- Industrial Control Process Zone: represents the SCADA system and any workstation with control functionality. Wonderware was used to build this zone.

- Remote Field Zone: Three PLCs (Siemens, Allen Bradley and ABB) represent the field devices that handle the control processes.

Figure 2: Industrial Control Testbed Architecture

Wonderware System Platform

Wonderware is an industrial automation system for supervisory control and production management. It provides real time visualization, flexibility, alarm information, system monitoring, historical database and flow analysis. Wonderware takes leadership in providing SCADA platforms architecture for companies around the world as it is easy to use, maintain and upgrade. Besides, it can connect to any PLC, RTU, IED, historical database or automation system implemented by different vendors.

Wonderware was used to create the system platform for the SCADA testbed at the University of Arizona. Figure 3 shows the configuration followed to build the SCADA system. Three servers were used to build the Information, Application and Historian servers. Another server was used to build the InTouch and ArchestrA IDE server, beside three clients.

Figure 3: Wonderware Configuration

InTouch & PLCs

InTouch – which is a Windows application - is a part of Wonderware development studio platform used to build a Human Machine Interface to provide real time graphic visualization for SCADA system control and management. In order to create a design for any automation system, InTouch uses DA Servers as communications protocol servers to provide connectivity to any controller data.

Figure 4: Siemens HMI

Wonderware developed multiple DA Servers compatible to many different vendors and SCADA protocols operate through Ethernet or Serial. SCADA testbed at ACL has three different PLCs represent Master Terminal units communicate through Ethernet. The PLCs were programmed to communicate with the HMI using MODBUS and PROFINET. As a result, two DA Servers were used:

- ArchestrA.DASSIDirect was used to communicate with SIEMENS SIMATIC S7-1200 through PROFINET, and the HMI built for this PLC is shown in figure 4.

ArchestrA.DASMBTCP was used to communicate through MODBUS with two different PLCs: Allen Bradley MicroLogix 1400 Series B, and ABB PM564-R-ETH.

Outputs of Siemens S7 1200 were wired to LEDs to show the current state, while the inputs were connected to a table of switched. This PLC was programmed to act like a Modbus slave (server) in order to evaluate ACIP with attacks over Modbus.

ACIP

Autonomic Computing is analogous to the human nervous system where computing systems and applications can be self-configured, self-optimized, self-healed and self-protected with little involvement from the users and/or system administrators. ACIP will continuously monitor and analyze software behaviors, resource usage, and interactions with the surround environment to detect any anomalies that might have been caused by cyber and/or physical attacks. Once an anomalous behavior is detected, the ACIP will invoke appropriate policies and actions to disrupt, and mitigate the impacts of the detected attacks.

Figure 5: ACIP Framework

Figure 5 shows the main ACIP modules to be developed to achieve the desired highly secure SCADA system capabilities: Online Monitoring, Feature Selection and Correlation, Multilevel Behavior Analysis, Decision Fusion, Automated/Semiautomated Actions, Adaptive Learning and Visualization.

Attack Library

Figure 6: Attack Library

The attacks were launched from a machine that represents the attacker. HMIs and PLCs are on two different subnets and connect through Ethernet using SCADA protocols over TCP/IP. The attack library, shown in figure 6, has the ability to monitor the status) of all the LEDs (as seen by the green and gray lights in figure 6) as well as launch attacks on the PLC.

Visualization

A prototype visualization module was installed in one of the testbed machines for display using the testbed visualization subsystem. Figure 7 shows a typical screen shot of the visualization for the control anomaly experiments.

Figure 7: ACIP Visualization

Autonomic computing is a promising paradigm to secure and protect SCADA systems. The ACIP could detect the launched attacks and by developing more successful scenarios of detection, ACIP becomes ready to be deployed in real industrial control systems in order to build the smart grid. Analyzing SCADA protocols and characterizing cyber attacks on the electrical power grid will contribute to the security of existing critical infrastructure assets as well as the design of next generation SCADA systems that are secure, reliable and resilient.