Testbed Implemented in Hardware
Download
Report
Transcript Testbed Implemented in Hardware
Annarita Giani, UC Berkeley
Bruno Sinopoli & Aakash Shah, Carnegie Mellon University
Gabor Karsai & Jon Wiley, Vanderbilt University
TRUST 2008 Autumn Conference, Nashville Tennessee
SCADA Systems and Security
The TRUST-SCADA Experimental Testbed
Current Implementation
Future Directions
SCADA Systems and Security
The TRUST-SCADA Experimental Testbed
Current Implementation
Future Directions
Supervisory Control And Data Acquisition
systems are computer-based monitoring
tools that are used to manage and control
critical infrastructure functions in real time.
Control Gas Utilities, Power Plants, Oil Refineries,
Power Utilities, Chemical Plants, Water
Management, Traffic Control Systems, etc.
SCADA Master
Provides overall monitoring and control
SCADA system
SCADA Network
Provides communication between SCADA
master and RTUs
Remote Terminal Units (RTUs)
Local controllers that take commands
from SCADA masters
Can perform simple PID control
Sensors and Actuators
Provide means of measuring infrastructure
parameters and adjusting them
SCADA systems have significant lifetimes
Most were designed without security in mind
Most are now connected to new infrastructure
SCADA Systems are difficult to upgrade
Adding security often means downtime
SCADA systems contain embedded components
SCADA networks are customized for each system
Need flexible, robust solutions that secure legacy
SCADA systems and shape the design of the next
generation
SCADA Systems and Security
The TRUST-SCADA Experimental Testbed
Current Implementation
Future Directions
Assess vulnerabilities of current SCADA
implementations
Provide and test solutions to address such
vulnerabilities
Test innovative architectural and
technological solutions for next generation
SCADA
Provide an openly-documented, affordable,
and highly flexible testbed for the TRUST
community
Modularity:
Must be able to model several SCADA
▪ Processes
▪ Network architectures
▪ Communications topologies, media, and protocols
Reconfigurability:
Needs to be easily reconfigurable to test new attack
scenarios, solutions
Remote access:
Should be available to remote users
Accurate modeling:
Should be a realistic model of a real world process
Software
SCADA Master
Software
Communication
Simulation
RTU Software
Hardware Simulation
Plant Simulation
Hardware
Servers
SCADA Master
Controller
Communications
Equipment
RTUs
SCADA Systems and Security
The TRUST-SCADA Experimental Testbed
Current Implementation
Future Directions
Gumstix/Linux Computer
setpoints
sensor readings
Robostix Microcontroller
12-bits of parallel
digital data
8 channels of 12-bit
analog data
High Speed I/O Interface
Simulink RTW Plant Model
Simulation on xPC
An adaptation of a
publically available
chemical plant model
Runs on xPC Target
4 processes
16 control loops
12 input variables
8 measured outputs
Simulates 1 hour in one
second (controllable
simulation speed)
PCI-DDA 08 /12
ComputerBoards
Digital Input
== 0
8
Compare
To Constant
ControlBit 3_83 _b33
PCI-DDA 08 /12
ComputerBoards
Digital Input
== 1
7
ControlBit 2_84 _b34
Bit to Integer
Converter
PCI-DDA 08 /12
ComputerBoards
Digital Input
Bit to Integer
Converter
6
== 2
Compare
To Constant 2
ControlBit 1_85 _b35
PCI-DDA 08 /12
ComputerBoards
Digital Input
Compare
To Constant 1
Target Scope
Id : 3
== 3
5
Compare
To Constant 3
ControlScope
ControlBit 0_86 _b36
PCI-DDA 08 /12
ComputerBoards
Digital Input
PCI-DDA 08 /12
1 ComputerBoards
Digital Output
7
== 5
4
Compare
To Constant 5
== 6
Target Scope
Id : 1
6
HandshakeInScope
5
Bit to Integer
Converter 1
Target Scope
Id : 4
3
DataBit 2_80 _b30
PCI-DDA 08 /12
ComputerBoards
Digital Input
2
DataBit 1_81 _b31
PCI-DDA 08 /12
ComputerBoards
Digital Input
DataBit 0_82 _b32
Bit to Integer
Converter
4
DataBit 3_79 _b29
PCI-DDA 08 /12
ComputerBoards
Digital Input
Compare
To Constant 6
== 7
Compare
To Constant 7
DataBit 4_78 _b28
PCI-DDA 08 /12
ComputerBoards
Digital Input
Logical
Operator 1
AND
Logical
Operator 2
AND
Logical
Operator 3
AND
Logical
Operator 4
In S/H
1
Out 1
ControlVar 1
In S/H
2
Out 2
ControlVar 2
In S/H
3
Out 3
ControlVar 3
In S/H
4
Out 4
ControlVar 4
In S/H
1
AND
5
Out 5
ControlVar 5
Logical
Operator 5
In S/H
6
Out 6
ControlVar 6
HandshakeIn _87 _b37
DataBit 5_77 _b27
PCI-DDA 08 /12
ComputerBoards
Digital Input
AND
AckOut_58 _b8
PCI-DDA 08 /12
ComputerBoards
Digital Input
DataBit 6_76 _b26
PCI-DDA 08 /12
ComputerBoards
Digital Input
Compare
To Constant 4
8
DataBit 7_75 _b25
PCI-DDA 08 /12
ComputerBoards
Digital Input
== 4
AND
Logical
Operator
DataScope
== 8
Compare
To Constant 8
AND
Logical
Operator 6
AND
Logical
Operator 7
AND
Logical
Operator 8
In S/H
7
Out 7
ControlVar 7
In S/H
8
Out 8
ControlVar 8
In S/H
ControlVar 9
9
Out 9
Atmel ATMega128 Microcontroller
8 channels of 10-bit A/D
Used for measuring analog sensor data
Up to 54 channels of digital I/O
Used for sending actuator setpoints to plant
simulation
SCI, IIC
Can run simple
PID control loops
Gumstix 400MHz Linux Computer
Runs SCADA Master software
Receives sensor and actuator information
from RTUs
Sends setpoints to RTUs
SCI, IIC, Ethernet, Wifi
Locally controlled
process
Remotely controlled
process
Robostix Microcontroller
12-bits of parallel
digital data
Gumstix/Linux Computer
setpoints
(over Modbus)
sensor readings
(over Modbus)
Robostix Microcontroller
8 channels of 12-bit 12-bits of parallel
analog data
digital data
8 channels of 12-bit
analog data
High Speed I/O Interface
High Speed I/O Interface
Simulink RTW Plant Model
Simulation on xPC
Simulink RTW Plant Model
Simulation on xPC
Distributed control
using Modbus
Gumstix Computer
Robostix
Robostix
Distributed control
using Ethernet
Gumstix
Computer
Gumstix
Computer
Robostix
Robostix
High Speed I/O Interface
High Speed I/O Interface
Simulink RTW Plant Model
Simulation on xPC
Simulink RTW Plant Model
Simulation on xPC
SCADA Systems and Security
The TRUST-SCADA Experimental Testbed
Current Implementation
Future Directions
Finish modular SCADA Testbed
Develop modeling tool for easy configuration
of testbed
Model systems and demonstrate
vulnerabilities of current SCADA systems
Test solutions to address current
vulnerabilities
Test new architectural solutions