How PNNL and RTI Built a Secure Industrial Control System with Connext DDS
Written by Rajive Joshi
June 5, 2014
The Pacific Northwest National Laboratory (PNNL) is located in the beautiful wine country region of Washington state. Their cyber-security research team and I just pulled off a flawless demo for a new secure solution for interconnecting commercial devices and applications used in the electrical power grid. The amount of effort it took was quite intense.
Our secure solution stopped eavesdropping and man-in-the-middle attacks, and it raised alerts for various insider attacks including identity spoofing by malicious actors. In contrast, the legacy interconnections used in practice today were susceptible to eavesdropping, man-in-the-middle attacks, and insider threats!
Legacy SCADA Systems
Supervisory Control and Data Acquisition (SCADA) systems are used to monitor and control industrial equipment. Many industries deploy SCADA systems, including oil and gas, air traffic and railways, power generation and transmission, water management and manufacturing. The electric utilities are major users. Scheduling, optimizing and controlling electric power generation and transmission require powerful real-time SCADA systems.
As shown in the figure above, there are five components in a typical SCADA system:
- The field-based remote measurement and control equipment (called remote terminal units, or RTUs) used to manage the flow of power at an electrical substation. The substations are typically at remote locations, and usually not attended by people.
- Programmable logic controllers (PLCs), relays or intelligent electronic devices (IEDs) used to automate tasks within a remote unattended substation.
- A control center with a set of central computers to manage the remote equipment located at various remote substations, and to process, analyze and archive the real-time data.
- A communication system to interconnect the substations to a control center.
- The operator interface (human-machine interface, or HMI) at a control center to allow human operators to supervise and manage the flow of electric power.
Much of the critical national infrastructure using SCADA today is showing its age. These SCADA systems were designed for reliability and personnel safety; implicit trust of all components and communication was the norm. Restricting physical access is currently the only practical security method for much of the critical infrastructure such as the electrical power grid. For the most part, SCADA systems do not consider the threat from malicious intruders. This situation is changing with increased connectivity to the Internet and personal computers. The most prevalent threat is connecting to external networks through modern technologies like Ethernet and the Internet Protocol (IP). Although using these technologies makes systems functional and efficient, it unfortunately also opens our critical national infrastructure to cyber attacks.
Ultimately, these systems should adhere to the "Three Tenets of Cyber Security":
- Focus on the critical data communication
- Control access to the data
- Detect and defend against attacks
Applying these tenets to SCADA systems requires a framework that can securely communicate sensor information effectively in a real-time environment, connect this information to analysis technologies and work in the unique SCADA environments.
Solving SCADA Challenges with DDS
We created a rapid application development kit for DDS so the attack detectors could be quickly created and modified using the light-weight and extensible Lua scripting language. Detectors could be added and modified without disrupting a running system or interfering with the critical data path.
We developed a data-centric "any-to-any" interoperability paradigm for interconnecting existing SCADA applications and devices that could be speaking a variety of other protocols. Our architecture allowed various SCADA protocols to be plugged into a secure DDS DataBus.
The solution architecture enabled rapid development and reconfiguration of attack detectors which could monitor and interpret the communications between devices and applications speaking various protocols. The architecture scaled horizontally, allowing new devices, applications and attack detectors to be added incrementally, without disrupting existing components.
For the demonstration at PNNL, we selected devices and applications that speak the DNP3 protocol, the most widely deployed protocol on the US electric power grid.
On the transmission substation, we deployed real-world devices (SEL 351A, SEL 451, GE L90) and on the control center we deployed HMI apps (Wonderware, Triangle Microworks SCADA Data Gateway), commonly found in the US electric power grid.
Implementing Security with Secure DDS
In the retrofit demonstration, we replaced the DNP3 link between the control center and the substation with a modern WAN network running an early access version of RTI Connext DDS with security extensions. Everything was compliant with the recently adopted DDS security specification.
Effective DNP3 was established between the devices in the transmission substation and the applications in the control center by tunneling the DNP3 messages over the RTI Connext DDS DataBus. DDS security extensions allowed only authenticated components on the bus, and furthermore allowed only components with "write" permissions to modify data, and only components with "read" permissions to access data. The ScadaConverter unobtrusively exploded the DNP3 payloads into a data model suitable for analysis by the AnomalyDetector(s) written in Lua, leveraging the rich structured data modeling capabilities of DDS for data in motion. The detectors continuously published metrics and raised alerts when anomalies were detected. You can see the logical data flow above.
Testing showed that our solution was able to securely tunnel DNP3 traffic between unmodified legacy SCADA devices and applications. We found that the secure DDS infrastructure did not negatively impact the operation of the testbed transmission substation environment. Control system communication between client and slave devices was not interrupted.
At the same time, our solution was able to thwart eavesdropping and man-in-the-middle attacks. The data-centric attack detectors were able to tap into the flows and raise alerts for various insider attacks including identity spoofing by a malicious component, unauthorized firmware upgrades, unsupported requests, high risk commands and denial of service. In contrast, the legacy SCADA communications were susceptible to both man-in-the-middle attacks and insider threats.
Our open standards-based extensible solution architecture built on Connext DDS with security extensions enables operators to monitor, analyze, visualize and respond to evolving attacks. It can leverage open-source and commercial off-the-shelf technologies as well as new anomaly-detection technologies. It can collect security status and process it to detect attacks that target industrial control systems. The solution lays the foundation for real-time detection capabilities, greatly increasing network reliability and defensibility of industrial control systems from cyber attacks. Overall, it's a timely, much-needed solution, given the current state of industrial control systems.
Want to learn more?