| | |  |
Protection of SCADA systems for monitor and control of power networks has traditionally
been based on the “security-by-obscurity” principle. By using obscure proprietary protocols
for communication on private or on leased lines, the idea has been that an attacker is
unlikely to have the knowledge necessary to break into the system. For many decades this
assumption has held true. An unfortunate consequence of adherence to this principle is that
the DSO’s and the TSO’s are lagging behind the conventional computer world in terms of
implementing new technologies and solutions for the protection of their information and
communication systems. Administrative systems are normally covered by corporate IT
polices and are thus well secured. For the technical support systems, however, this is
blatantly true as is evidenced in for instance [Fink et al., 2006]. In addition, the
implementation of new technologies for cyber protection is hindered by the long expected
life-time of the equipments in power system, which is often about 40 years. Although
monitoring and control equipments do not have such a long life-cycle, the DSO’s and the
TSO’s tend to be wary replacing equipment in the field as long as the primary function, the
power distribution, is reliable.
Protection against cyber attacks is today mostly governed by a set of standards and
recommendations, ranging from organisational and policy related recommendations to
suggestions of the implementation of technical countermeasures. Examples here include:
CIGRE´s joint working group JWG D2/B3/C2.01, which publishes recommendations for
policy related improvements and technical counter-measures [Electra, 2004-2006abc] .
Similar recommendations can be found in the IntelliGrid architecture [IntelliGrid] and in a
technical report from the IEC TC57 [IEC TC57]. The most notable recommendation is the
NERC-CIP 09-002, which again provides recommendations on securing systems. Common
for all the above initiatives is that they recommend the implementation of security solutions
that already are available within the ICT industry, such as various levels of encryption
including key management, strong authentication mechanisms, redundant communication
paths for the avoidance of DoS attacks, etc. Regarding technical solutions specific for the
protection of electric power systems, the main initiative is the set of security profiles for the
SCADA communication protocols developed within IEC TC57. These security profiles are
focused on the implementation of encryption services for the most commonly used IEC
based SCADA communication protocols.
It is important to note that these new standards and recommendations are still far from being
commonplace in the latest generation of SCADA and substation automation systems,
meaning that they are even further away from being implemented in operational systems.
Furthermore, cryptographic schemes work under the assumption that an attacker is not able
to physically access hardware. This assumption may fail in the case of SCADA systems,
since the network and the connected hardware systems are generally left unattended after
deployment. In addition, currently used sensory hardware is not resistant to physical
tampering. If an adversary captures a sensor, he can easily extract the cryptographic
primitives and keys, as well as exploit the shortcomings of the software implementation
[Electra,2006bc]. Even if the hardware that emits sensor data is kept secure, a skilful
attacker can intercept this stream and perform decryption. Once the adversary has obtained
the cryptographic keys, he is able to access the sensory data in order to modify or exploit it.
Therefore, we cannot exclusively rely on traditional cryptographic protocols to protect the
security of SCADA systems. This motivates the need for an Intrusion Detection System
(IDS), i.e., an application-level module able to detect and to take the right countermeasures
against an attacker who is trying to forge the cryptographic scheme.
Data can be corrupted due to various causes, ranging from the result of an explicit attack to a
fault in the hardware of the sensing unit. A well-designed monitoring system should be able
to identify, with high probability, the specific cause of data corruption. Data reliability can
be defined as ensuring messages, data, and communications not to be tampered with while
in transit or in storage. Given the criticality of a SCADA system, sensors must operate with
high reliability so that the collected data is suitable for taking appropriate actions.
Consequently, the robustness of the system is affected by multiple factors, such as, altering
the collected/routed data, denial of service attacks, insertion of incorrect data, bad
measurements due to noisy sensors and hardware malfunction.
Different design approaches can be adopted for the IDS implementation. However, a
common issue is the characterization of good network data through the design of suitable
rules, filters and estimators that are capable of distinguishing good data from corrupted data.
FP7 225643 - Viking: Annex I - Approved by the European Commission on 29/09/08
15
Data aggregations through robust estimation methods or using Dempster-Shafer theory,
MLE techniques, or Bayesian approaches, provide indications about the reliability of
sensory data. This is a critical task, especially when applied to false alarm detection and
real-time alarm transmission across systems (alarm reliability). Given the very particular
structure of SCADA systems, the design of effective IDS’s, which should combine the
physical infrastructure with wired and wireless networks, is still an open problem.
We will investigate and develop techniques for the detection of data anomalies and
suspicious traffic due to malicious tampering, or sensing node malfunction and provide
models for expected system behaviours under such conditions. We will apply and further
develop novel tracking techniques such as the ones developed at Dartmouth College
[Cybenko et al, 2005] and at Berkeley [Souza et al., 2007]. |
| |
|
|
|
