A Critical Infrastructure Testbed for Cybersecurity Research and Education Ai Onda, Kalana Pothuvila, Joseph Urban, and Jordan Berg Texas Tech University 2013 National Science Foundation Research Experiences for Undergraduates Site Project Abstract

Awareness for cybersecurity in critical infrastructure is imperative because critical infrastructures are vital to our economy and public safety. Supervisory Control and Data Acquisition (SCADA) systems are networks of computers that monitor and control industrial machines and processes, prevalent in critical infrastructures. Unfortunately, SCADA systems are vulnerable to cybersecurity threats, giving an opening to attacks. Testbeds provide a safe environment to observe how attacks occur and their possible effects on a real system. In this project, a simple and reconfigurable testbed was created and attacked for the purpose of research and education in this area of vital National importance. The initial focus of the testbed attacks were on industrial control system attacks, thus, under this approach, the attacker has already breached the Information and Communications Technology (ICT) security measures and is preparing to compromise the industrial control network. The testbed includes three modules: the Local Area Network (LAN), a serial Modbus/RTU Programmable Logic Controller (PLC) network, and a Modbus/TCP to Modbus/RTU translation gateway. We attacked the sensors and motors by ping flooding. The sensors and motors timed out, causing the Human Machine Interface (HMI) to lose connection with them. The testbed and related attack methods will be used by educational institutions for lab courses concerning cybersecurity in critical infrastructures, increasing critical infrastructure awareness and security skills in future generations of cybersecurity professionals.

• • • • • •

Introduction

Critical infrastructure is vital to our economy and public safety Supervisory Control and Data Acquisition (SCADA) systems • Are networks of computers that monitor and control industrial machines and processes • Are vulnerable Vulnerabilities include insecure protocols, lack of program updates, and access from the Internet [1, 2] Increase in critical infrastructure espionage and sabotage attacks “Repository of Industrial Security Incidents (RISI), which records cyber security incidents directly affecting SCADA and process control systems, shows the number of incidents increasing by approximately 20% a year over the last decade” [3] Testbeds provide insight into the causes and effects of attacks on a system, and as a result, enhance awareness of the current state of industrial control systems security • •

Objectives

Create a simulation testbed that • • • Uses different industrial vulnerabilities and protocols Allows for quick emulation of different attack situations Simulates an Internet connected SCADA system Design attacks for the testbed by reviewing and analyzing existing attack techniques • •

Modbus Family of Protocols

Modbus: Simple master and slave relationship; Master sends packet containing function code and data to slave, slave responds with packet containing same function code and different data Variations of Modbus: Serial Modbus (Modbus/RTU and Modbus/ASCII) and Modbus/TCP

Modbus/RTU Packet Structure

[4]

Start

Modbus/TCP Packet Structure

[5]

IP TCP Testbed System Ping

Motor

Slave ID (1 byte) Transaction ID (2 bytes) Function Code (1byte)

Before ping flooding motor. All packets received by the motor with an average round trip time of 1 ms.

Data (varies) CRC Checksum (2 bytes)

Sensor

End Protocol ID (2 bytes) Length (2 bytes) Slave ID (1 byte) Function Code (1 byte) Data (varies)

“ArduinoUnoFront.jpg,” “C000drd_small.jpg,”

Arduino

, [Online]. Available: http://arduino.cc/en/Main/arduinoBoardUno [Accessed: July 2013].

PLC Direct Benelux

, [Online]. Available: http://www.plcdirect.eu/EN/script/P_products-detail.asp?ID=5344 [Accessed: July 2013].

Before ping flooding sensor. All packets received by the sensor with an average round trip time of 2 ms.

After ping flooding motor. “Request timed out.” All packets lost.

After ping flooding sensor. “Request timed out.” All packets lost.

DISCLAIMER: This material is based on work supported by the National Science Foundation and the Department of Defense under grant No. CNS-1263183. Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation or the Department of Defense.

Methods

• •

Modbus/RTU PLC network

Created communication between two slave PLCs and master PLC using built in Modbus/RTU protocol, uploading ladder logic program on the master PLC Created communication between master micrcontroller and slave microcontroller using Modbus/RTU library for Arduino, “simple-modbus” [6] •

Gateway

Determining how to physically connect PLC to gateway microcontroller • •

Attack

Performed ping flood on motor and sensor with “sudo ping –f [IP Address]” Creating packet flooder with Java that generates different types of packets including ICMP, UDP, and SYN

Summary

• • • • •

Results

PLC network completed Disrupted service through ping flooding motor and sensor Incoming and outgoing channels congested with ICMP Echo packets from the client and ICMP Echo Reply packets from the server HMI cannot connect with motor and sensor during attack HMI connects with motor and sensor after stopping attack • • • •

Future Work

Complete gateway that translates Modbus/TCP to Modbus/RTU Complete packet flooder to observe effects of different packet types on testbed Implement methods other than Denial of Service attacks, including attacks to achieve pre-determined results Incrementally increase difficulty of attacks and place firewall in testbed to prevent ping flood

References

[1] Huitsing, P., Chandia, R., Papa, M., and Shenoi, S., “Attack taxonomies for the Modbus protocols,”

International Journal of Critical Infrastructure Protection

, vol. 1, pp. 37-44, Dec. 2008.

[2] Fovino, I., Carcano. A, Masera, M., and Trombetta, A., “An experimental investigation of malware attacks on SCADA systems,”

International Journal of Critical Infrastructure Protection,

vol. 2, no. 4, pp. 139-145, Dec. 2009. [3] Staggs, K., and Byres, E., “Cyber wars,”

Hydrocarbon Eng.

, Oct, 2010. [4] MODICON, Inc., “Modicon Modbus Protocol Reference Guide,”

The Modbus Organization,

June, 1996

,

[Online]. Available: http://modbus.org/docs/PI_MBUS_300.pdf [Accessed: July 2013].

[5] “Modbus TCP/IP,”

Simply Modbus

, [Online]. Available: http://www.simplymodbus.ca/TCP.htm [Accessed: July 2013].

[6] Bester, J., “simple-modbus,”

Google Code

, [Online]. Available: https://code.google.com/p/simple-modbus/ [Accessed: July 2013].