SCADA: A Deeper LookSCADA: A Deeper LookSCADA: A Deeper LookSCADA: A Deeper Look

Jeff Dagle

P ifi N th t N ti l L b tPacific Northwest National LaboratoryP.O. Box 999, M/S K5-20; Richland WA 99352

509-375-3629; Fax: 509-375-3614; jeff dagle@pnl govjeff.dagle@pnl.gov

OutlineOutlineOutlineOutlineOutlineOutlineOutlineOutline

VendorsVendorsProtocolsDNP 3.0 Protocol ExampleDNP 3.0 Protocol ExampleDemonstration

2

SCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of Operation

Interface with Physical DevicesInterface with Physical DevicesRemote terminal unit (RTU)Intelligent electronic device (IED)Programmable logic controller (PLC)

CommunicationsDirectly wiredPower line carrierMicrowaveMicrowaveRadio (spread spectrum)Fiber optic

3

p

Typical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA Architecture

MainA li ti

PrimaryServer

CentralApplicationProcessing

SecondaryServer

ProcessingLAN

TelemetryServer 1

TelemetryServer n

…

Telemetry

Inter-siteGateway

TelemetryLAN

IndependentControl

Center A

RTU CommServer

RTU CommServer

SerialLi kLeased

Bridge ModemModem Bridge ModemModem

RTU RTU

Bridge ModemModem

RTU

Links

Phone LineRadio

Fiber Optic

IndependentControl

Center B

LeasedLines

RTUx

RTUy

RTUz

RTUx

RTUy

RTUz

……RTU

xRTU

y… RTU

z

p

Redundant Paths

4

Paths

IED PLC…

IED

Major SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS Vendors

Asea Brown Boveri (ABB)Asea Brown Boveri (ABB)SiemensAlstom ESCAAlstom ESCATelegyr SystemsAdvanced Control Systems (ACS)Advanced Control Systems (ACS)HarrisBaileyBailey

5

SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)

ANSI X3.28 PertBBC 7200CDC Types 1 and 2

PG&EQEI Micro II

Conitel 2020/2000/3000DCP 1DNP 3 0

Redac 70HRockwellSES 91DNP 3.0

Gedac 7020IBM 3707

SES 91Tejas 3 and 5TRW 9550

Landis & Gyr 8979 Vancomm

6

Protocol BackgroundProtocol BackgroundProtocol BackgroundProtocol BackgroundInternational Standards Organization Open System Interconnection Reference ModelISO OSI Reference Model (protocol stack)

Protocol BackgroundProtocol BackgroundProtocol BackgroundProtocol Background

7 Application Provides interface to application services

6 Presentation

5 Session

Data representation

Starts, maintains, and ends each logical session

4 Transport

3 Network

End-to-end reliable communications stream

Routing and segmentation/reassembly of packets

2 Data Link

1 Physical

Transmit chunks of information across a link

Transmit unstructured bits across a link

7

y

Intermediate NodesIntermediate NodesIntermediate NodesIntermediate Nodes

Application Application

Intermediate NodesIntermediate NodesIntermediate NodesIntermediate Nodes

Presentation

Session

Presentation

Session

Transport

Network Network

Transport

NetworkNetwork

Data Link

Ph sical Ph sical

Network

Data Link

Ph sical

Network

Data Link

Ph sical

Data Link

Ph sicalPhysical Physical Physical PhysicalPhysical

8

REPEATER BRIDGE ROUTER

Simplified Protocol StackSimplified Protocol StackSimplified Protocol StackSimplified Protocol StackInternational Electrotechnical Commission (IEC)Enhanced Performance Architecture (EPA)

Simplified Protocol StackSimplified Protocol StackSimplified Protocol StackSimplified Protocol Stack

3 Application

( )

Provides interface to application services

2 Data Link Routing and segmentation/reassembly of packets

1 Physical Transmit bits of information across a link

9

SCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol Example

Distributed Network Protocol (DNP) 3.0Distributed Network Protocol (DNP) 3.0SCADA/EMS applications

RTU to IED communicationsMaster to remote communicationsPeer-to-peer instances and network applications

Object-based application layer protocolEmerging open architecture standard

10

DNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link Layer

Interface with the physical layerInterface with the physical layerPacking data into the defined frame format and transmitting the data to the physical layerU ki f i d f h i l lUnpacking frames received from physical layerControlling all aspects of the physical layer

Data validity and integrityData validity and integrityCollision avoidance/detectionPerform message retriesg

Establish connection, disconnection in dial-up environment

11

DNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link Layer

CRC CRCCRC USERDATA

USERDATA

BLOCK 0 BLOCK 1 BLOCK n

...SOUREDESTINATIONCONTROLLENGTHSTART

FIXED LENGTH HEADER (10 OCTETS) BODY

START 2 starting octets of the headerSTART 2 starting octets of the header

LENGTH 1 octet count of USER DATA in the header and body

CONTROL 1 octet Frame Control

DESTINATION 2 octet destination address

SOURCE 2 octet source address

CRC 2 octet Cyclic Redundancy Check

USER DATA Each block following the header has 16 octets of User defined data

12

DNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport Function

Supports advanced RTU functions and messagesSupports advanced RTU functions and messages larger than the maximum frame length in the data link layerAdditi l d t i t it ifi tiAdditional data integrity verificationPacks user data into multiple frames of the data link frame format for transmitting the datalink frame format for transmitting the dataUnpacks multiple frames that are received from the data link layeryControls data link layer

13

DNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport Function

USER DATATRANSPORT HEADER

1 OCTET 1 to 249 OCTETS IN LENGTH

FIN FIR SEQUENCE

FIN 0 = More frames follow

1 = Final frame of a sequence

FIR 1 = First frame of a sequence

0 = Not the first frame of a sequenceq

SEQUENCE Number between 0 and 63 to ensure frames are being received in sequence

14

DNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application Layer

Communications Interface with ApplicationCommunications Interface with Application SoftwareDesigned for SCADA and Distributed Automation S tSystemsSupported functions include

d tsend requestaccept responseconfirmation time-outs error recovery etcconfirmation, time outs, error recovery, etc.

15

SCADA TrendsSCADA TrendsSCADA TrendsSCADA TrendsSCADA TrendsSCADA TrendsSCADA TrendsSCADA Trends

Open protocolsOpen protocolsOpen industry standard protocols are replacing vendor-specific proprietary communication protocols

I t t d t th tInterconnected to other systemsConnections to business and administrative networks to obtain productivity improvements and mandated openobtain productivity improvements and mandated open access information sharing

Reliance on public information systemsIncreasing use of public telecommunication systems and the internet for portions of the control system

16

Vulnerability ConcernsVulnerability ConcernsVulnerability ConcernsVulnerability ConcernsVulnerability ConcernsVulnerability ConcernsVulnerability ConcernsVulnerability Concerns

ConfidentialityConfidentialityProtecting information from unauthorized accessImportant for deregulation, competitive intelligence

IntegrityAssuring valid data and control actionsMost critical for real-time control applications

AvailabilityContin it of operationsContinuity of operationsImportant for real-time control applicationsHistorically addressed with redundancy

17

Historically addressed with redundancy

Laboratory SCADA Laboratory SCADA Vulnerability DemonstrationVulnerability Demonstration

Laboratory SCADA Laboratory SCADA Vulnerability DemonstrationVulnerability Demonstration

SCADA Protocol (DNP 3 0)SCADA Protocol (DNP 3.0)

Operator Interface

Field Device•Remote Terminal Unit (RTU)Protocol Analyzer

Scenarios•Denial of service

•Intelligent Electronic Device (IED)•Programmable Logic Controller (PLC)

y(Intruder)•Operator spoofing

•Direct manipulation of field devices

•Combinations of above Vulnerability implications vary significantly

18

Combinations of abovedepending on the scenario and application

SCADA Message StringsSCADA Message StringsSCADA Message StringsSCADA Message StringsSCADA Message StringsSCADA Message StringsSCADA Message StringsSCADA Message Strings

R ti il

Captured by

Repeating easilydecipherable format

p yRTU test set

19

Mitigation StrategiesMitigation StrategiesMitigation StrategiesMitigation StrategiesMitigation StrategiesMitigation StrategiesMitigation StrategiesMitigation Strategies

Security through obscuritySecurity through obscurityPoor defense against “structured adversary”

Isolated networkCommunication encryption

Concerns over latency, reliability, interoperabilityVendors waiting for customer demand

Signal authenticationMay provide good defense without the concerns associated with full signal encryption

20

IEEE Standard 1402IEEE Standard 1402--20002000IEEE Standard 1402IEEE Standard 1402--20002000IEEE Standard 1402IEEE Standard 1402 20002000IEEE Standard 1402IEEE Standard 1402 20002000

IEEE Guide for Electric Power Substation Physical and Electronic SecurityProvides definitions, parameters that influence threat of intrusions and gives a criteria forthreat of intrusions, and gives a criteria for substation securityCyber methods considered:

passwordsdial-back verificationselective accessselective accessvirus scansencryption and encoding

21

Additional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to Consider

Implement access control with strong passwordsImplement a tomatic reporting/intr sion detection feat resImplement automatic reporting/intrusion detection featuresCreate a multi-tiered access hierarchyImplement application level authentication and packet level data encryptiondata encryptionConsider implementing public key infrastructure (PKI)

When properly implemented, PKI certificates enable authentication, encryption, and non-repudiation of data t i itransmissions

Implement properly configured firewalls and intrusion detection systemsHave a defined Enterprise-level computer network securityHave a defined Enterprise level computer network security policy

Ref: Concerns About Intrusion into Remotely Accessible Substation Controllers and SCADA Systems, Schweitzer Engineering Laboratories, www.selinc.com

22

Steps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA Security

Establish a robust network architectureEstablish a robust network architectureEliminate trusted remote access points of entryEvaluate and deploy technology and approachesEvaluate and deploy technology and approaches to enhance confidentiality, availability, and integrityImplement rigorous configuration managementProvide adequate support and trainingNever become complacent!

23

ConclusionsConclusionsConclusionsConclusionsConclusionsConclusionsConclusionsConclusions

VendorsVendorsRelatively fewMostly foreign

ProtocolsSeveral protocols being usedTrend toward open protocols

DNP 3.0 Protocol ExampleEmerging standard in the electric SCADA ind strEmerging standard in the electric SCADA industry

24