process-aware scada traffic monitoring - a local approach
Justyna Chromik is a PhD student in the research group Design and Analysis of Communication Systems. Her supervisors are prof.dr.ir. B.R. Haverkort from the Faculty of Electrical Engineering, Mathematics and Computer Science and prof.dr. A.K.I. Remke from the University of Muenster.
Supervisory Control and Data Acquisition (SCADA) systems are used to monitor and control large physical infrastructures, such as electricity transmission and distribution systems. For years they have operated as isolated systems, using proprietary protocols, and keeping the exchanged information only within the system, which was designed in a centralized architecture.
Nowadays, however, SCADA systems are closely connected to the Internet in order to provide remote control capabilities. This makes them vulnerable to adversaries, which aim at disrupting the controlled process. Cyber security of SCADA systems has only recently started to pave its way up the companies’ agendas after discovering the disastrous physical consequences of the Stuxnet malware in 2010. It was the first registered case where cyber commands resulted in physical damage of a system. This incident has made the operators more aware of the possibilities that malicious parties have, once they have entered a SCADA system.
Monitoring SCADA systems is a popular way to keep track of activities that are happening inside such systems. Unfortunately, approaches that are successful in regular IT systems are, however, not always applicable in a critical infrastructure environment, where SCADA systems are often used. Many existing approaches rely on the assumption that traffic within SCADA systems is quite stable and predictive, and identify hosts that are allowed to communicate within the system by creating so-called whitelists. Other techniques, such as deep packet inspection, require the capability to read and interpret protocol-specific information from captured packets in real-time. Based on extracted information, adequate measures are taken, for example, an alert can be raised when a specific host sends a message that has not been authorised. However, real-life incidents show that disruptive commands can originate at authorised, legitimate hosts, leading to undesired consequences, such as a blackout. Unfortunately, most of the proposed approaches do not investigate the effect of the analysed packets on the underlying, physical system.
In contrast, this thesis focuses on enhancing the traffic monitoring by proposing a local and process-aware monitoring tool for power distribution systems, that detects when the physical process is in an unsafe state. Introducing such a monitoring tool at each local substation is feasible by maintaining a model of the substation and of the sensors and actuators that are directly accessible from this substation.
As a result, this thesis proposes a new and generic modelling formalism that can describe (a part of) a power distribution system, combined with a new local monitoring algorithm that can validate a set of physical constraints and safety requirements that are required to hold in the power distribution system. The proposed formalism and algorithm have been tested in a co-simulation testbed, and have also been implemented as a Self-Aware Monitor (SAM) tool. The SAM tool automatically generates the appropriate set of rules, based on the description of the topology of the local substation, and on the configuration of the controlling Remote Terminal Unit. Finally, a case study conducted at a substation of a Dutch distribution system operator has brought important insights about the feasibility of process-aware monitoring.
For several scenarios simulated in the testbed, our proposed new algorithm has been able to correctly identify unsafe states of the physical system upon sensor readings, as well predicting unsafe future states, in case of commands. The detected bad readings and malicious commands would not have been detected by a centralized system. Furthermore, the automatic generation of rules based on system topology and device configuration used in the SAM tool emphasized the necessity of keeping information about the system up to date. The tool reported problems that arose from outdated information. We conclude that the future of process-aware methods depends highly on the quality, freshness and availability of the process information. Current-day systems might not be ready for process-aware methods, as they are unable to provide the necessary information.