Developing a Critical Infrastructure and Control Systems Cybersecurity Curriculum

Matthew E. Luallen DePaul University

mluallen@cdm.depaul.edu Jean-Philippe Labruyere

DePaul University jpl@cdm.depaul.edu

Abstract

This paper discusses the initial course development, portable living laboratory environment, student achievements and course revisions for an undergraduate and graduate level critical infrastructure and control systems cybersecurity curriculum. The curriculum developed is based upon DePaul University’s Computer and Network Security (CNS) 366 / 466 delivered during the Spring 2011, Fall 2011 and Spring 2012 quarters and collaborative industry partnerships. The educational methods employed in the curriculum provide the students with hands-on, cognitive experiences associated with production control system equipment. The critical infrastructure testbed projects coupled with the rapid prototyping environment provide faculty and students with real world associations leading to increased risk analysis accuracy and knowledge conveyance. The curriculum may be used at other institutions to cross-educate computer science and security disciplines with traditional engineering programs and become associated within the current partnership of industry and academic institutions leveraging the curriculum.

1. Introduction

Since President Bill Clinton signed Executive Order 130101 on July 15, 1996 the United States of America as well as nations around the world have attempted to focus on identifying and protecting national critical infrastructure from both physical and cyber attacks. Critical infrastructure as defined by the Department of Homeland Security is “… essential to the nation's security, public health and safety, economic vitality, and way of life.” The United States of America’s version of critical infrastructure began as eight categories and has now increased to eighteen. Of the current eighteen critical infrastructures defined in the United States National

1 http://www.fas.org/irp/offdocs/eo13010.htm

Infrastructure Protection Plan [1], eleven of them include the direct usage of industrial control systems to automate their functionality. These industrial control systems have migrated from proprietary closed operating environment to include more contemporary computing technologies based on TCP/IP connectivity increasing the prospects of successful attacks against national critical infrastructure. The increasing number of identified vulnerabilities, the potential presence of threats within control environments and nations announcing cyber-offensive units, with the ability to target critical infrastructure control systems, reveal the need for a well-defined curriculum. A curriculum is necessary to empower the next generation of cybersecurity professionals, engineers and executive leadership who will be managing, building and operating these environments.

2. Survey of Critical Infrastructure and Control System Cybersecurity Courses

The idea of creating a course in Critical Infrastructure and Control Systems (CICS) security originally came from faculty discussions pertaining to the growing threat to these critical resources and the lack of education in the workforce to protect it. The systems used to control it were not originally designed for an open communication world and are at best ill adapted to withstand the complexity and destruction of IP-based attacks. Aiding in the decision process, in November 2010 a faculty member attended the NIETP CAE pre-conference workshop on Control Systems Security in St Louis. It was apparent from discussions that very few education initiatives existed and the need for additional course development and workforce training was acute. One of the issues is that Control Systems setup and deployment are often taught at a community college

2013 46th Hawaii International Conference on System Sciences

1530-1605/12 $26.00 © 2012 IEEE

DOI 10.1109/HICSS.2013.176

1780

2013 46th Hawaii International Conference on System Sciences

1530-1605/12 $26.00 © 2012 IEEE

DOI 10.1109/HICSS.2013.176

1782

level in programs focusing on automation, factory/industrial controls; however, to an audience not exposed to open systems, IP connectivity or cybersecurity aspects. Conversely, cybersecurity aware audience of Bachelor or Master degree students in Computer Science (or related) security degree or concentration typically has little to no access to ICS security and its unique challenges. Initial research and surveys identified several resources and courses that focus or cover in detail ICS/CI security: • US-CERT - Control Systems Security Program

[2] offers a few courses ranging from 1 to 5 days of training. A total of 7 days (56 hours) of training (equivalent to a full college course) could be achieved by taking the full sequence 201- 202-301.

• Idaho National Lab National SCADA TestBed (NSTB) [3] also provides education for IT control systems manager and operator that includes introductory and intermediate classroom based course but also offers a 5 days advanced SCADA security red/blue team course that is based on hands on exercises.

• University of Texas San Antonio - IS 4513/6433- Securing SCADA Systems

• Other for profits training organization also offer some targeted training on ICS security (e.g. SANS SCADA Summit, Intense School, Infosec Institute, Red Tiger Security)

In addition to the courses above, there are many SCADA educational programs, partnerships and research laboratories in academia, such as: • Mississippi State University Center for

Computer Security Research [4] has been a leader in information security education and also has a strong focus in ICS/CI

• The Southeast Region Research Initiative [5] includes university partners in seven states actively engaged in CI and industrial cybersecurity

• Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) [6] academic research consortium

• Workshops at security conferences (e.g. CISSE, EnergySec, NESCO) also focus on ICS/CI security

DePaul University’s CNS 366/466 [7] began as a "special topics course" and after showing regular interest from the students; it became integrated into the DePaul curriculum. It is likely that other

institutions also have similar courses classified as "special topics" but they are difficult to identify.

3. Course Facilitation, Course Curriculum, and Laboratory Equipment and Exercises

The course materials, equipment and facilitation process for the first course offering during the spring of 2011 proved to be very difficult. Very few academic courses could be leveraged as guidance for course development. Department of Energy national laboratories, National Institute of Standards and Technology, the Department of Homeland Security and the Industrial Control System Computer Emergency Response Team provided the best set of fragmented resources to assemble. The pedagogical goal was to provide course reading and viewing materials, reinforced with course lectures and hands-on laboratories exploring real-world security challenges. This goal could only be achieved through the appropriate alignment of a well-facilitated course material with the correct curriculum, lectures, videos and hands-on assignments.

3.1. Course Facilitation

Course facilitation was very important to ensure students successfully understood the concepts delivered in the course and actually not just knowledge but new skills. The course combined new concepts, leveraged untested course materials and was delivered to undergraduate and graduate level students. Each quarter began with questionnaires given to each student to assess their skillsets as well as get an understanding as to what each student expected from the course. These surveys changed dramatically from the first quarter to the most recent to sufficiently represent the skillsets to form the student teams. The most recent questions asked to the students are shown in Table I.

TABLE I. STUDENT QUESTIONNAIRE

Student Questionnaire Domain Questions

CI/KR Awareness

Do you work within a sector of a nation’s critical infrastructure or key resources? Are you aware of critical infrastructure plans (e.g. the United States National Infrastructure Protection Plan (NIPP))?

Control Systems

Have you ever programmed a Programmable Logic or Automation Controller (PLC/PAC)?

17811783

Student Questionnaire Domain Questions

Have you ever analyzed a control system environment for cybersecurity risk?

Cybersecurity

Are you aware of the ICS-CERT? How would you rate your cybersecurity skills on a scale of 1 to 10?

Operations

Have you developed or managed cybersecurity policies?

Engineering

Have you ever taken an electrical engineering course? Have you ever taken a mechanical engineering course? Have you ever taken an industrial engineering course? How would you rate your engineering skills on a scale of 1 to 10?

General

What would you like to learn from this course? What did you enroll in this course?

The existing questionnaires ask questions to gauge the current knowledge and skills of the students to form the teams used to perform the hands-on laboratory exercises. These exercises draw upon programming, electronics, mechanical, industrial and cybersecurity skills and it is important that each team be well balanced to allow assignment delegation and success.

3.2. Course Curriculum

Previously developed curriculum pertaining to cybersecurity of control systems choices were limited to textbooks and materials that were either very old or very new or those that were not developed for academic settings. The greatest challenge was to identify course content that would supply the appropriate critical infrastructure and control system background topics while introducing the more recently discussed cyber and cyber-physical threat assessment models and mitigating controls. Ultimately the choices at the time of the first course offering limited the selection to two textbooks, SCADA Supervisory Control and Data Acquisition, 4th Edition by Stuart A. Boyer and Cybersecurity for SCADA Systems by William T. Shaw. These books were assigned before each lecture and combined with pre-class video assignments and in-class lecture material.

3.3. Laboratory Equipment and Exercises

Course lecture and readings were reinforced with hands-on laboratories kits providing a common networked Programmable Logic Controller; sensors and actuators symbolized with toggle switches, momentary push buttons and indicator lights; ladder-logic programming software and HMI software. Teams of students combined from both undergraduate and graduate sections were each equipped with their own portable laboratory equipment to explore as shown in Figure 1.

Figure 1. Portable Living Laboratory Kit

The exploratory process included several hands-on exercises to learn the technician’s, operator’s, attacker’s and defender’s roles within a control system environment. The hands-on laboratory exercises as shown in Table II requested the students to perform several activities using the laboratory equipment.

TABLE II. HANDS-ON EXPLORATORY LAB EXERCISES

Hands-on Exploratory Lab Exercises Exercise Description

PLC relay logic

Assess students ability to setup a technician’s programming environment and program simple logic

Attack a PLC

Assess control system component’s operational, physical and cyber vulnerabilities and mitigating controls

Wireshark analysis of communication between a PLC and HMI

Assess communication protocols used within control systems

Attack control system communication and operator console

Assess students ability to perform UDP and TCP MitM attacks and supporting mitigating controls

The students from the first quarter were given the assignment but not provided with the tools or logic to perform the task. The second and third quarter

17821784

students were each given the results of the previous quarters to build upon the exploratory exercises. The exercises required students to configure, program, analyze, attack and defend a mini control system network consisting of two PLCs, a network and an operator’s console as shown in Figure 2.

Figure 2. PLCs used in the Portable Living Laboratory Kit

4. Examples of Student Achievements

Over sixty students attended CNS 366/466 during the three course offerings. The students were involved with dissecting systems, identifying threats, discovering vulnerabilities, constructing scenarios and selecting mitigating controls. Specifically the students analyzed the Allen-Bradley MicroLogix 1100 and Siemens S7-1200 PLCs, developed critical infrastructure testbeds, researched verticals, hardware, protocols and open source information and identified several educational tools to help with the steep learning curve at the beginning of the course.

4.1. Programmable Logic Controller Analysis

The students performed physical, operational and cyber vulnerability assessments against the Siemens S7-1200 and Allen-Bradley MicroLogix 1100 PLCs. The results of the student analysis included several assessment risks such as physical I/O manipulation to create runtime faults, SD card access forcing the PLC to halt and network setting manipulations using common industrial technology tools such as IP Explorer. The students were also able to identify several very simple exploits. Notably the Allen-Bradley MicroLogix 1100 suffers from a severe

Ethernet processing overload DoS vulnerability. As shown in Figure 3, a simple customized PING (i.e. ping 172.16.1.30 –I .0001 –s 15000) at a small interval between packets and large frame size causes the controller to become unresponsive.

Figure 3. Ping of Death of the Allen-Bradley MicroLogix 1100 (ping 172.16.1.30 –I .0001 –s 15000)

The Siemens S7-1200 can be configured to operate a web service. Earlier firmware revisions enabled this service by default. A simple NMAP scan reveals the web services of http and https operating on the controller as well as the control protocol ISO-TSAP, as shown in Figure 4.

Figure 4. Running NMAP against the Siemens S7-1200 PLC

The students revealed that even the most recent firmware update contains a http session ID that is revealed prior to authenticating via a secure SSL session. As shown in Figure 5, Burp Suite was used to capture the HTML header information and maliciously capture an authenticated SSL session.

Figure 5. Using Burp Suite to attack the http(s) session ID on the Siemens S7-1200 web server

17831785

The students were able to use the portable living laboratory kits to identify the vulnerabilities discussed in recent reports by Dillon Beresford [8], Digital Bond’s Project Basecamp [9] and CERT Vulnerability Note VU#144233 [10].

4.2. Critical Infrastructure Testbeds

Attacks such as Stuxnet exposed the complicated and integrated nature of an attack most likely leveraging open source intelligence, signals intelligence, social engineering, mechanical engineering, and computer engineering and cybersecurity skillsets. Specifically Stuxnet exposed the knowledge necessary by a mechanical engineer assessing rotor failures of a specific type of equipment. These failure thresholds are typically protected by digital safety systems such as PLCs and PACs. This mechanical engineering knowledge was then programmed into the control system. This deep understanding would not typically be possessed by one individual and represents not only the collective of skills necessary to craft an attack but also the collective necessary to protect an asset owner from an attack. Based upon previous work at Mississippi State University it is invaluable to develop critical infrastructure control system testbeds to facilitate pedagogical learning [11]. The students were assigned projects, as highlighted in Table III, to develop control logic to simulate components of heavy rail, manufacturing, pipelines and traffic lights to help them understand this collective of understanding.

TABLE III. CRITICAL INFRASTRUCTURE TESTBEDS

Critical Infrastructure Testbeds Exercise Description

Heavy Rail

Simulation: Model railroad with PLC controlled turnouts and analog force sensors to identify train location Attack: Attempt to stop and/or derail train

Manufacturing

Simulation: Robotic arm controlled with PLC to move small objects behind a discrete safety curtain Attack: Attempt to move the robotic arm beyond the safety curtain

Pipelines

Simulation: Pressurize and de-pressurize a balloon using a PLC controlled air compressor and a relief valve Attack: Attempt to over-pressurize the line by inhibiting the safety valve and exploding the balloon

Traffic Lights

Simulation: Two-way traffic light system with police control and force sensing resistors to detect vehicle presence Attack: Attempt to create all green traffic light conditions

The students assessed the design elements for each critical infrastructure testbed and attempted to develop the decision logic, wiring schematics, programmable constructs, attack scenario and mitigating controls. The traffic light system required an incredible amount of logical construct to define the testbed. The truth tables included not only the traffic intersection red, yellow and green light control but also the inclusion of controls to force light conditions. An example of a truth table for the Green light condition is shown in Figure 6.

Figure 6. Green Traffic Light Truth Table

Similarly the robotic arm needed to be appropriately wired to support the motorized servos. This team did not have sufficient engineering and circuitry background to support the assignment; however, they adapted their model to automate the robotic arm in a single direction as shown in Figure 7.

17841786

Figure 7. Robotic ARM Wiring Schematic

The struggle was to automate the robotic arms bi-directional control using two different voltage polarities. This difficulty as well as a new model for the course is discussed later in this paper. The team then spent most of their efforts defining the supporting attack scenarios and mitigating controls.

Another team successfully designed the model heavy rail scenario as shown in Figure 8. The scenario attempted to create conditions to cause a train derailment.

Figure 8. Model Heavy Rail Turnout and Speed Control Wiring

4.3. Individual Student Projects

Throughout the quarters students were assigned individual research projects to identify publicly available information pertaining to specific vertically oriented critical infrastructure, control system hardware, communication protocols and industry intelligence gathering. The primary goals of this

assignment were to provide each student with individualized grades to combine with their group project grades and to have the students further explore a specific critical infrastructure and/or control system topical area as referenced in Table IV.

TABLE IV. INDIVIDUAL STUDENT PROJECT TOPICS

Individual Student Project Topics Category Topics

Vertical

Ships, Airplanes, Fresh Water / Waste Water, Farm Mass Poultry, Milk and Cheese Production, Farm Equipment, Grain Storage, Flour Milling, Food Processing, Steel Manufacturing, Automobile Manufacturing, Bottled Products, Passenger Automobiles, Tractor-Trailers, Heavy/Light Rail, Amusement Parks, Pipelines, Power Grid, Refineries, Wellheads, LEED Buildings, Chemical, Production, Traffic Lights, Satellites,, Environmental Monitoring, NOAA Weather, Port Cranes, Weapons

Hardware

Nano-10 PLC, Directlogic 05, Opto-22 SNAP-PAC, Schneider Modicon Quantum PAC, Banner Engineering Digital Safety PLC, Parrot ARDrone, Traxxas Summit, IDEC Pentra-12, Allen-Bradley ML1100 PLC, Siemens S7-1200 PLC, IP Explorer, Hardware MAC Addresses, Field Communications Electromagnetic Interference

Protocols DNP3, Ethernet/IP, ICCP, AB PCCC, ISO on TCP, Modbus/TCP, Modbus/UDP, IEC Variants, IEEE 802.15.4/Zigbee, ALSCOM

Intelligence Gathering

Computer Glitches in Control Systems, Vendor Documentation, PLC Message Boards, Vendor Security Awareness

4.4. Student Identified Learning Resources

Students begin the course with knowledge and skills gained from a variety of experiences, vastly different from those of each other and the instructor. These experience variations create challenges in correctly articulating the course material for each student. The first assignment for the students is to identify resources that help them understand the first lecture and corresponding video. Each student is instructed to identify five openly available resources used by him or her to further explore critical infrastructure and control system cybersecurity concepts. The students must also include a brief description of the resource and recommendation on how to categorize the resource. Over 100 unique English language resources have been identified throughout the offering of DePaul CNS 366/466. These identified learning resources will be placed within a logical mindmap for current and future students to utilize at DePaul University and other

17851787

academic institutions. The resources may also become valuable for the general industry.

5. Course Ongoing Development and Refinement

The course materials has gone through constant refinement and review as students have expressed interests and identified difficulties, industry has identified new threats and vulnerabilities and new mechanisms to facilitate learning are identified. Modifications have occurred within the portable living laboratory equipment, a rapid prototyping circuitry and automation trainers, hardware to educate distance-learning students, industry and academic partnerships, red team / blue team exercises and adding additional control system components and communication protocols.

5.1. Portable Living Laboratory Equipment

The portable living laboratory equipment has expanded greatly during the three offerings of the course. Initially the portable kits were contained within small containers providing the PLC, tapping switch and a software HMI license. The kit has transitioned now to also include a fully configured laptop computer with pre-installed software, drivers and customized Backtrack edition. The students can now quickly perform ladder logic configurations and vulnerability analysis in a known-to-work environment. This removes the three-week hurdle of getting equipment functional and allows for more rapid knowledge transfer and skill gaining. The kit is also undergoing a transition for these environments to be fully virtual allowing the technician, operator, and attack environments to be USB flash drive portable.

5.2. Rapid Prototyping Circuitry and Automation Trainer

During the spring of 2012 critical infrastructure testbed development group project assignment several teams expressed difficultly in understanding electric circuits and dissecting the proposed critical infrastructure simulation equipment. Further analysis depicted a common situation among all students that had either not recently or ever studied the fields of computer, electrical, mechanical and/or industrial engineering. Furthermore, this course is not specifically about circuit analysis and design. Therefore, an efficient learning tool is necessary. Several options were reviewed including circuitry

breadboards, circuitry tutorials and videos, mentors and coaches and software programming environments. The decision was to use a combined customized approach from two different vendors of equipment, Phidgets™ and Elenco™ as shown in Figure 9.

Figure 9. Customized Standalone Elenco Snap-Circuits™ / Phidgets™ Trainer Unit

The Elenco Snap-Circuits™ combined with the Phidgets™ analog sensors provide a rapid prototyping circuitry and automation classroom demonstration and analysis platform. The students can evaluate numerous circuit models to aid in understanding the types of sensors, actuators and logic prevalent in control system environments. The customized Elenco Snap-Circuits™ / Phidgets™ Trainer Unit recommended for the classroom includes the following components: switches, momentary push buttons, two motors, two relays, indicator lights/LEDs, whistler chip, analog voltage/AMP meter, Phidget™ sensors (motion, touch, sound, light, magnetic, infrared reflective, force, water and vibration). The circuits can then be coupled with external low voltage elements to aid in the dissection process prior to implementing the logic into programmable hardware utilizing either industrial standard PLCs or the Arduino™ platform. The rapid prototyping design was successfully tested with the robotic arm assignment requiring a Snap-Circuit™ S3 relay to operate the polarity alternating voltage to operate the arm servos as depicted in Figure 10. The next step is to transition the typically static PLC circuitry to the programmable environment. First the programmable hardware needs to be adapted to support dynamic connections as depicted in Figure 11. The connections are made between the PLC inputs and outputs to the customized trainer unit using Category 5e or 6 Ethernet adaptors and shielded cabling.

17861788

Figure 10. Elenco Snap-Circuits Rapid Prototyping of Robotic ARM

Figure 11. Customized PLC Connections

The difficulty is to sustain the appropriate voltage between independently developed environments while maintaining a safe environment for the students to perform rapid prototyping. Most discrete digital inputs on PLCs sense voltages between 14-28 vdc. Most analog PLC inputs support voltage ranges between 0 and 10 vdc. The supporting Elenco Snap-Circuits™ only operate on voltages between 3 volts and 6 volts. This supports the Phidgets™ analog sensors operating at 0 to 5 vdc. However, many PLCs discrete digital inputs will not sense below 14 vdc. Modifying a 3 vdc AA battery B1 Snap-Circuit™ to use a Dimension Engineering Anyvolt 3 voltage regulator as depicted in Figure 12 mitigated this obstacle. The voltage regulator alters any voltage input between 5-30 vdc to a statically configurable 3 to 24 vdc output. The Anyvolt 3 modified Snap-Circuit™ has been set to output 18 vdc which is still well below the safety limits prescribed by the U.S. Consumer Product Safety

Commission’s “Requirement for electrically toys or other electrically operated articles for use by children” (CPSC 1505). CPSC 1505 specifies that “a potential of more than 30 volts r.m.s. shall not exist between any exposed live part in a toy and any other part or ground.” [12] Elenco Snap-Circuits also are protected by United States Patent #7,144,255 for the safe design incorporated in to the circuitry. The power supply and step-up voltage transformer are equipped with positive temperature coefficient (PTC) resettable fuses to electronically limit the maximum current that can be drawn from the circuits.

Figure 12. AnyVolt 3 Customized Elenco Snap-Circuit™ Module

The new customized trainer unit, shown in Figure 13, allows students to easily select various input, outputs and circuitry logic combined with PLC decision logic to analyze control system designs. For instance, each of the four critical infrastructure scenarios described earlier in this paper have been modified to accept this control interface.

Figure 13. AnyVolt 3 Customized PLC Connected Elenco

Snap-Circuits™ / Phidgets™ Trainer Unit

The development and lab integration of this additional learning tool is complete. The new 18vdc

17871789

voltage regulator and the Elenco Snap-Circuits™ / Phidgets™ rapid prototyping kits will be included in the next course offering.

5.3. Distance-Learning Students

Control system environments are very difficult to transition to a distance-learning (DL) program due to the need to gain access to many physical elements including programmable devices, sensors and actuators. In this course DL students have been historically placed into teams that also include local students where the local students must manage the necessary access to the equipment for the DL student. This is not a reliable model and needs to be addressed by the course facilitator. Development is currently in the research stages to utilize a robotic arm to manipulate the local control input toggles and momentary push buttons located on the PLC trainer units. The robotic arm used in the DL remote accessibly kits are a more powerful version of the robotic arm used in the critical infrastructure testbed. A strong robotic claw is necessary to manipulate the toggle switches and momentary push buttons simulating sensors and actuators located on the trainer units. Visualization of the PLC and trainer unit environment is managed with a local web camera. Successful completion of this remotely accessible training environment would facilitate greater direct course participation for DL students. The other elements for DL access are more commonplace among DL programs such as remote PC terminal access and remote power distribution unit control. If the robotic arm is not feasible each DL student could be sent a portable learning laboratory kit or specific components such as the rapid prototyping environment discussed later in this paper. The logistics of sending and assuring proper retrieval of functional kits after the course end is not ideal this may not be a viable option for academic settings.

5.4 Industry and Academic Partnership

A standardized critical infrastructure and control system curriculum used across both industry and academic institutions can provide incredible benefits. Academic institutions can share experiences and content updates among faculty while industry partners provide feedback pertaining to the course’s professional expectations. The course material and portable learning laboratory environment used in CNS 366/466 has also been used within two day, three day and five day asset owner classes at industry settings. Feedback from students and professionals

has guided the course development and will continue as additional courses are offered at this University and other institutions. Community colleges, Universities and asset owners have retained and begun using the curriculum and portable learning laboratory kit for their environments. The course instructors take part in bi-annual discussions pertaining to the current course curriculum and the desired modifications. The goal of this model is maintain current course topics desired by industry participants while limiting the additional new-hire educational commitments.

5.5. Red Team / Blue Team Exercises

Course facilitated red team / blue team exercises allow the participants to defend their systems against a rival while in crisis mode. The selective reasoning process used while responding to an incident can only be developed if students are placed in a role that requires decisive actions in a timely manner. The spring 2012 quarter included the first introduction of a red team challenge. Students attempted to escalate privileges onto several control system components that were new to them. Due to recent industry announcements in early 2012, the Schneider Modicon Quantum PAC and RuggedCom’s Rugged Server 400 were added to the blue team environment. A fictitious company, HackOurs, LLC with an Internet presence, owned the blue team environment. The Internet presence included character information to aid in the attack process. The students were able to successfully identify user passwords, critical asset information, the hardware, and escalate privileges using recently released information, scripts and Metasploit modules. The continued response to acquire technology based upon recently identified vulnerabilities and exploit code is not financially reasonable. Therefore, the next natural step in this process is to have the teams build their respective critical infrastructure scenarios and then attempt to discover other teams’ environments through blackbox analysis techniques. This will allow teams to have a sense of ownership over their environments as well as the understanding of how to discover, dissect and exploit other environments. This understanding should correlate with how to better protect the students’ critical infrastructure control system assets through operational, physical and cyber controls.

17881790

5.6. Additional Control System Components and Communication Protocols through Collaboration

The portable training environment has provided the students with a great learning environment; however, additional technology and communication protocols should be explored and protected. Many other academic institutions either have completed their studies or are studying intrusion detection solutions for MODBUS Remote Terminal Units (RTUs) [13], cybersecurity analysis of Phasor Measurement Units (PMUs) [14], and vulnerability discovery of HMI software and terminals [15]. Fantastic resources are available at many institutions to discovery, report upon and address the cybersecurity challenges of hardware, software and deployed architectures. DePaul University is specifically seeking additional collaborators to address this shortcoming of physical resources.

6. Conclusion

The Critical Infrastructure and Control System Cybersecurity University course curriculum for undergraduate and graduate students provides students with textbook analysis, hands-on laboratory exercises and associative critical infrastructure constructs to aid in the transfer of knowledge. The curriculum’s successful achievements to date include:

• Two academic institutions have included the

curriculum and portable living laboratory environment within their educational programs

• Several academic institutions have included the curriculum and portable living laboratory within grant requests

• Industry asset-owners and government response teams have retained and participated in maintaining the curriculum and portable living laboratory environment

• Several students have received employment opportunities directly related with critical infrastructure and control system cybersecurity

The ability to protect critical infrastructure and control systems from threats is upon the workforce that manages, operates and integrates it. The success of this curriculum is measured directly by the ability for it to propagate throughout other academic institutions and industry in an effort to fill the cybersecurity workforce shortage.

7. References

[1] Department of Homeland Security, 2009 National Infrastructure Protection Plan, http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf, February 2009 (Accessed August 28, 2012)

[2] US-CERT Control System Security Program, http://www.us-cert.gov/control_systems/ (Accessed August 29, 2012)

[3] National SCADA Test Bed Program, http://www.inl.gov/scada/ (Accessed August 29, 2012)

[4] Mississippi State University Center for Computer Security Research, http://www.cse.msstate.edu/~security/ (Accessed August 30, 2012)

[5] Southeast Region Research Initiative, http://www.serri.org/Pages/serri.aspx (Accessed August 30, 2012)

[6] Trustworthy Cyber Infrastructure for the Power Grid, http://tcipg.org/ (Accessed August 30, 2012)

[7] DePaul University CNS 366/466 Course Offering, ��������������� ������ ������ �������������� ���������������� !"���� "����� #�$ %��%&

[8] Beresford, Dillon, Exploiting Siemens SIMATIC S7 PLCs, Black Hat 2011, August 2011

[9] DigitalBond Project Basecamp, http://www.digitalbond.com/tools/basecamp/ (Accessed August 31, 2012)

[10] Vulnerability Note VU#144233, Rockwell Automation Allen-Bradley MicroLogix PLC authentication and authorization vulnerabilities, http://www.kb.cert.org/vuls/id/144233 (Accessed August 30, 2012)

[11] Thomas Morris, Rayford Vaughn, Yoginder Dandass, “A Testbed for SCADA Control System Cybersecurity Research and Pedagogy”, Proceedings of The 7th Annual ACM Cyber Security and Information Intelligence Research Workshop (CSIIRW), Oak Ridge, TN, October 2011

[12] Dr. Marom Bikson, “A Review of Hazards Associated with Exposure to Low Voltages”, City University of New York, 2004

[13] Morris, T., Vaughn, R., Dandass, Y. A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems.Proceedings of the 45th IEEE Hawaii International Conference on System Sciences (HICSS – 45). January 4-7, 2012. Grand Wailea, Maui.

[14] Morris, T., Pan, S., Lewis, J., Moorhead, J., Reaves, B., Younan, N., King, R., Freund, M., Madani, V. Cybersecurity Testing of Substation Phasor Measurement Units and Phasor Data Concentrators. The 7th Annual ACM Cyber Security and Information Intelligence Research Workshop (CSIIRW). October 12-14, 2011. Oak Ridge, TN.

[15] McGrew, R. and Vaughn, R. 2009. Discovering vulnerabilities in control system human-machine interface software. Journal of Systems and Software. 82, 4 (April 2009), 583-589.

17891791