Cyber Threat Assessment and Mitigation for Power Grids Lloyd Wihl Director, Application Engineering Scalable Network Technologies lwihl@scalable-networks.com
2 The Need OT security particularly in the Electricity Sector has relied on obscurity and specialization in keeping threat actors from disrupting operations. Cyber-connected OT devices have significantly improved automation and efficiency, but they also introduce vulnerabilities. Every communication line is an attack surface. Each attack vector s modus operandi and impact can best be assessed in a lab-based simulation environment without imposing risk to the actual systems. Unfortunately, the testbed development process is not well established due to the complexity of integrating cyber and physical resources while also incorporating realistic simulations of physical systems, control systems, cyber-attacks, protocol vulnerabilities, data communication timing and network dynamics.
Cyber-Physical Vulnerabilities That Can be Exploited 3
Typical Exploitation Path 4
Common Attack Vectors Backdoors and holes in network perimeter Exploitation of vulnerabilities in SCADA protocols Communications hijacking and man-in-the-middle attacks Database attacks Bogus input data to the controller introduced by compromised sensors and/or exploited network link between the controller and the sensors Manipulated and misleading output data to the actuators/reactors from the controller due to compromised network link between the controller and the actuators Attacks on timing and synchronization 5
Key Challenges and Opportunities Tight time constraints on addressing attacks largely rule out human-in-the-loop solutions. This drives the need for continuous, autonomous, real-time monitoring, detection and response. Though the nature of SCADA introduces many cybersecurity challenges, it also presents some opportunities that may enable use of novel approaches to securing these systems or make viable some approaches that are difficult to implement in the more open world of IT systems. The laws of physics often constrain the operations of SCADA. As a result, the normal behavior range of a given physical system is often well understood. These features may make anomaly detection and control easier. These parameters can be modeled, and the model of the dynamics of the system can be used to detect a compromised node or identify out-of-norm behavior. Because of these more limited dynamics, it is possible to consider use models that can adjust the connectivity of a system based on its criticality and known mission needs.
Cyber Threat Assessment System
SCALABLE s EXata: Network Emulation Command-Line Virtual Protocol Stacks GUI: Design, Visualize, Analyze Hardware In The Loop + External Interfaces Wireless Channel, Mobility & Terrain Models Kernel for Simulation & Emulation Packet Sniffer + SNMP Interfaces 8
EXata Overview Internet SNMP Connect Devices Wireless Network Emulated in 3 1 2 EXata Conn. Mgr Streaming Video Chat/IM Internet Browsers Connect Real Applications 1 3 2 VoIP Sensors Situational Awareness Tactical Communications Microsoft Network Monitor Wireshark Packet Sniffer Interface Parallel to the Core Interface to other simulations
EXata Connection Manager EXata Connection Manager Runs on 1/more computers ( operational hosts ) Dynamically map entire computer or specific applications to EXata nodes Applications undergo network effects of EXata nodes Connection Manager: Connect real applications to EXata nodes
EXata Demo 11
Integrated Demo Master Cyber Attack Slave 12
Cyber Attack Framework (examples) Attack models encompassing the protocol stack : Defensive Breach Framework Firewall models Interface with attack generators & IDS Routing Misconfig Framework Sniffing and Passive traffic analysis Eavesdropping Framework Signals Intelligence Framework Application Transport Network MAC Physical Physical Attacks Physical Attack Framework Denial of Service Framework OS resource modeling Resource depletion modeling Wired & Wireless Wireless Jamming Framework Barrage Noise Jamming Silent 802.11 MAC jammer Sweep jamming
Emulated Network Affects Live Traffic Cyber Attack Models Network security Firewalls Port and network scanning Eavesdropping Jammers Denial of Service Stimulate Intrusion Detection System Signals Intelligence Operating System resource models Vulnerability exploitation Virus attacks Worm and virus propagation Antivirus Backdoors, rootkits Host models Botnets Security logs and audit trails Coordinated attacks Adaptive attacks From Source: Synchrophasor Emulated Cyber Network Attack At Destination 14
EXata and OPAL-RT: Cyber Threat Assessment and Mitigation Test Team SCADA Defenses Attack surface reduction Anomaly based IDS Connectivity adjustment Multiple viewpoint comparison Adaptation algorithms Time-varying reactions Isolation / shutdown strategies Control channel defense Dynamics modeling Code verification Reprogramming control devices Physical Controller mapped (HWIL) SCADA Attacks Reconnaissance, fingerprinting Authentication bypass, replay Bogus sensor inputs Modified controller outputs Time synchronization At-Scale SCADA System Model Connectivity, protocols, device models, access control, perimeter controls, firewalls, control & sensor data, physical process state Physical RTU mapped (HWIL) Physical system dynamics Logging, attack progression, cyber and physical metrics 1
SCALABLE and OPAL-RT Integrated Value Engineering-level network emulation to predict network behavior under attack. Ability to scale to represent the entire network. Integration of emulated network with equipment and power grid dynamics simulation. Run what-if scenarios about critical infrastructure under cyber-attack without threatening operations. Assess effectiveness of tools, techniques and architectures to ensure system availability. Measure and improve system resiliency.
THANK YOU Demo in the lobby SCALABLE Network Technologies Los Angeles, CA Miami, FL Montreal, QC lwihl@scalable-networks.com scalable-networks.com