EXPERIMENTAL ANALYSIS OF THE INTERNAL ATTACKS ON SCADA SYSTEMS

Abstract

Supervisory control and data acquisition (SCADA) systems play important role in electrical power system which is one of the most critical infrastructures. They usually include digital controllers like PLCs to realize the automation of electromechanical processes and to accomplish the real time services. Ensuring a secure communication between these field devices and the command center is vital from the security point of view. Because the most vulnerable part of SCADA systems is their communication protocols, this work focuses on the weaknesses of SCADA systems against the internal cyber-attacks such as Denial of Service (DoS), Man-in-the-Middle (MITM) and Replay. For this aim, a sample SCADA testbed environment has been designed at first and then the attacks mentioned above are tested on it. Experimental results show that although SCADA systems accomplish some mission critical tasks, the protocols used in their communication systems still lack of crucial security measures. Therefore, some immediate precautions to mitigate the vulnerabilities are suggested at the end of study.

Keywords

• SCADA,PLC Security,Cyber-attacks,Counter-measures

References

1. C. Yulia, et al. "A review of cyber security risk assessment methods for SCADA systems." Computers & Security 56 (2016): 1-27.
2. G. Niv, and A. Wool, "Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems." International Journal of Critical Infrastructure Protection 6.2 (2013): 63-75.
3. O. Hamed, et al. "Creating a cyber moving target for critical infrastructure applications using platform diversity." International Journal of Critical Infrastructure Protection 5.1 (2012): 30-39.
4. C. Queiroz, A. Mahmood, J. Hu, Z. Tari, and X. Yu, “Building a SCADA Security Testbed,” Third International Conferance Network and System Security, pp. 357–364, 2009
5. NIST SP 800-82, “Guide to Industrial Control Systems (ICS) Security”, 2011.
6. G. Devarajan, “Unraveling SCADA Protocols:Using Sulley Fuzzer”, Defcon 2015.
7. Kiravuo, T. Tiilikainen, S. Sarela, M. and Manner, J. “Peeking Under the Skirts of a Nation: Finding ICS Vulnerabilities in the Critical Digital Infrastructure”, Proceedings Of The 14th European Conference On Cyber Warfare And Security (Eccws-2015) Pages: 137-144, 2015.
8. https://www.shodan.io/, Retrieved on March 2016.

9. R. C. Bodenheim, “Impact of the Shodan computer search engine on internet-facing industrial control system devices”, AFIT-ENG-14-M-14. Air Force Institute Of Technology Wright-Patterson AFB OH Graduate School Of Engineering And Management, 2014.
10. N. Sayegh, A. Chehab, I. H. Elhajj, and A. Kayssi, “Internal security attacks on SCADA systems,” Third International Conference on Communications and Information Technology, ICCIT, pp. 22–27, 2013.
11. Omron FINS Ethernet Driver Help, 2015, Retrieved from
12. D. Beresford, “Exploiting Siemens Simatic S7 PLCs,” Black Hat USA, pp. 1–26, 2011.
13. R. Bayindir, S. Sagiroglu, A. Ozbilen, and I. Colak, “Investigating Industrial Risks Based On Informatıon Security For Observerable Electrical Energy Distribution System And Suggestions,” Journal of The Faculty of Engineering and Architecture of Gazi University, vol. 24, no. 4, pp. 715–723, 2009.
14. C. Queiroz, A. Mahmood, and Z. Tari, “SCADASim-A Framework for Building SCADA Simulations,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 589–597, 2011.
15. R. Chabukswar, B. Sinópoli, G. Karsai, A. Giani, H. Neema, and A. Davis, “Simulation of Network Attacks on SCADA Systems,” First Workshop on Secure Control Systems, 2010.
16. N. Kakanakov and G. Spasov, “Securing against Denial of Service attacks in remote energy management systems,” Annual Jornal of Electronics, 2011.
17. J. D. Markovic-Petrovic and M. D. Stojanovic, “Analysis of SCADA system vulnerabilities to DDoS attacks,” 11th International Conference on Telecommunications in Modern Satellite, Cable and Broadcasting Services (TELSIKS) ,vol. 02, pp. 591–594, 2013.
18. E. Ciancamerla, B. Fresilli, M. Minichino, T. Patriarca, and S. Iassinovski, “An electrical grid and its SCADA under cyber attacks: Modelling versus a Hybrid Test Bed,” International Carnahan Conference on Security Technology (ICCST), pp. 1–6, 2014.
19. D. Lee, H. Kim, K. Kim, and P.D. Yoo, “Simulated Attack on DNP3 Protocol in SCADA System,” Proceedings of the 31th Symposium on Cryptography and Information Security, Japan, 2014.
20. W. Lootah, W. Enck, and P. McDaniel, “TARP: ticket-based address resolution protocol,” 21st Annual Computer Security Applications Conference, pp. 106–116, 2005.
21. D. Pansa and T. Chomsiri, “Architecture and Protocols for Secure LAN by Using a Software-Level Certificate and Cancellation of ARP Protocol,” Third International Conference on Convergence and Hybrid Information Technology, pp. 21–26, 2008.
22. S. Hong, M. Oh, and S. Lee, “Design and implementation of an efficient defense mechanism against ARP spoofing attacks using AES and RSA,” Elsevier Science Direct, Mathematical and Computer Modelling, vol. 58, no. 1–2, pp. 254–260, 2013.
23. R. Oppliger, R. Hauser, and D. Basin, “SSL/TLS Session-Aware User Authentication—Or How to Effectively Thwart the Man-in-the-Middle,” Computer Communications, vol. 29, no. 12, pp. 2238–2246, 2006.
24. Q. Chen, K. R. Abercrombie, and F. T. Sheldon. “Risk assessment for industrial control systems quantifying availability using mean failure cost (MFC)”, Journal of Artificial Intelligence and Soft Computing Research 5.3 (2015): 205-220.
25. NATO Cooperative Cyber Defence Centre of Excellence, https://ccdcoe.org/about-us.html, March 2016.
26. NIST SP 800-30 v.1 “Guide for Conducting Risk Assessments”, 2012.
27. European Union Agency for Network and Information Security (ENISA), “ENISA Threat Landscape 2015”. Retrieved from https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/etl2015
28. NIST SP 800-53A Revision 4. “Assessing Security and Privacy Controls in Federal Information Systems and Organizations”, 2014.
29. Natıonal Communıcatıons System Technıcal Informatıon Bulletin, “Supervisory Control and Data Acquisition (SCADA) Systems”, NCS TIB 04-1, October 2004.
30. F. Daryabar, A. Dehghantanha, N. I. Udzir, N. F. B. Mohd Sani, and S. Bin Shamsuddin, “Towards secure model for SCADA systems,” Proceedings 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic, CyberSec 2012, pp. 60–64, 2012.
31. Z. J. Zhang, et al., “A survey of SCADA test bed.”, International Journal of Wireless and Mobile Computing 8.1 (2015): 9-14.
32. M. Antolovic, K. Acton, N. Kalappa, S. Mantri, J. Parrott, J. Luntz, J. Moyne and D. Tilbury. “PLC Communication using PROFINET: Experimental Results and Analysis”. Emerging Technologies and Factory Automation, pp. 1-4, 2006. doi: 10.1109/ETFA.2006.355195
33. Siemens Simatic S7-1200 Programmable controller system manual. Retrieved from http://www.generationrobots.com/media/manuel-plc-siemens-s7-en.pdf, March 2016.
34. https://wiki.wireshark.org/PROFINET, March 2016.
35. http://w3.siemens.com/mcms/simatic-controller-software/en/step7/pages /default.aspx, March 2016.
36. https://ettercap.github.io/ettercap/, March 2016.
37. R. Langner, “A Technical Analysis of What Stuxnet’s Creators Tried to Achieve: To Kill a Centrifuge”, 2013. Retrieved from http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf, March 2016.