Printer Friendly

A testbed for anomaly-based fault detection in pervasive computing system.


Supervisory control and data acquisition (SCADA) systems are widely used to control critical energy infrastructures (gas, oil, and electrical power). These systems were originally designed to work through isolated networks without connectivity to corporate or external networks. However, this assumption is not valid any more with the trend to build what is referred to as "Smart Grid" that uses advanced computing and communications technologies to bring knowledge to power grid so it can operate more efficiently.

Consequently, SCADA networks become a prime target for cyber attacks due to the profound and catastrophic impacts they can inject to our economy and all aspects of our life.

Traditional detection methods have focused on detecting network attacks, but have provided no real effective solutions to protect against attacks on the application layer. Attack detection techniques can be classified into two categories:

Signature-based and anomaly-based detection. Signature based detection is the more common of the two. To be effective, signature-based systems rely on large databases containing the digital signatures of known attacks, which require continuous updates as new exploits are identified. If an attack does not match closely enough a known signature, the signature-based system will miss it entirely. Anomaly-based systems are "trained" using data representing normal system behavior profiles. Activity that is "outside the norm" can then be detected. While anomaly-based systems are good at detecting new or unknown exploits, they require collecting large body of data to build their models of normal behavior.

With the explosive increase in the number, complexity and the speed of malicious attacks it is no longer feasible to identify all types of attacks and build defenses against them. As highlighted before, current security techniques are not able to provide the required security and protection for our critical energy infrastructures that are controlled and managed by SCADA systems.

To assist in the development of innovative security and protection techniques for SCADA based control systems, we present a SCADA testbed that is under development at the NSF Center for Autonomic Computing at the University of Arizona. The testbed uses the Opnet tool to simulate computer networks that might be connected to control networks such as the Allen-Bradley Data Highway and Modbus.), PowerWorldi simulation system is used to simulate the operations of segments of the electrical power grid.

II. Overview Scada Systems And Protocols:

SCADA systems consist of Human Machine Interfaces (HMI), historical database management systems (HDBMS) and sophisticated monitoring and control applications. The SCADA system manages a collection of distributed industrial control components including Remote Terminal Units (RTUs) for field sensor and actuator connectivity, Programmable Logic Controllers (PLCs) that perform simple logic processes, and a wide variety of Intelligent Electronic Devices (IEDs) for process data collection and control. When SCADA is interconnected with corporate networks and Internet, they become vulnerable to cyber attacks. TASSCS is used to develop techniques to eliminate the exploitation of these vulnerabilities by cyber attacks.

There are many types of SCADA system architectures and communications protocols in use today such as DNP3 [3] and Modbus [4] protocols. One of interest is the DNP3 (Distributed Network Protocol)ii. DNP3 is an open source protocol that is widely used in power sector utilities. However, it is vulnerable to attack as will be discussed in Section III. Modbus is a request-response protocol which has designed to control industrial devices over the network and it is widely used in industry.

III. Anomaly Based Detection Of Scada Attacks:

A widely used control system communications protocol in power and water utilities is DNP3. It is used to communicate between SCADA Master Stations, Remote Terminal Stations, RTUs, and network enabled IEDs (Intelligent Electronic Devices). DNP3 has proven to be very reliable. However, this refers to its reliability with respect to performance. In fact, the DNP3 protocol has many vulnerabilities that can be exploited by attackers to bring the control system down resulting in process control failure. Many researchers have suggested rebuilding the protocol from scratch taking security into consideration. However, a large installed base of SCADA systems deployed with DNP3 makes this approach infeasible. Most of the security mechanisms proposed relate to encrypting the DNP3 communications. However, this is not enough to secure and protect DNP3 communications. Many types of cyber attacks can be used to target the DNP3 protocol directly. The following is a partial list of some of these attacks:

* Unauthorized access to a PLC device.

* Block field sensors from reporting data or events.

* Spoof a Master Control or HMI station.

* Device Scanning and Function Scanning.

* Man-in-the-Middle Attack (message relay), request tampering (modification of frames), and malicious function injection.

* Denial of Service (DoS) attack

These attacks can be successfully launched against SCADA infrastructure that uses DNP3 protocol. For example, DoS attacks target SCADA systems by exploiting communication vulnerabilities at multiple levels in the SCADA system network (DNP3 level, TCP level, IP level, and MAC level). Attacks targeting IP level and MAC level are simple flooding attacks. However, those that target DNP3 and TCP protocols are more complicated. An example of a DoS attack on DNP3 is the "WarmRestart Attack". The WarmRestart is a command that is sent from the Master Controller to the PLC, forcing it to execute an immediate restart. Sending multiple WarmRestart commands to the PLC will basically stop the PLC operations and results in a DoS of the PLC. One attack , the TCP SYN attack, exploits a vulnerability in the TCP protocol. The TCP SYN attack is based on opening many connections (unused) on the target device and, by leaving those connections open, causes the system to allocate resources for each connection. By sending multiple SYN packets, the target will run out of resources and then crash; resulting in DoS. We have developed a robust anomaly behavior analysis module that detects TCP attacks with ~100% detection rate and extremely low false positive alerts [5-6]. This approach will be adopted to develop efficient detection of SCADA attacks and will be evaluated using the TASSCS resources.

We also describe in detail our approach to analyze the anomalous behavior of the Transmission Control Protocol (TCP) that is triggered by TCP attacks. Our approach exploits the inherent properties of the TCP protocol by analysis of the packet header. In previous work, the operation of the TCP protocol has modeled it as a finite state machine. In our protocol behavior analysis approach we focus on analyzing protocol transition sequences of length n during a window interval. When an attack exploits the TCP header, it generates illegal state transitions that can be detected by our protocol transition analysis. For example, in order to establish a TCP connection, the protocol needs to complete the following state transitions.

Listen -> SYN_Sent -> SYN_Received -> Established

his involves the following sequence of actions SYN - SYN-ACK - ACK. In TCP SYN flooding attack, there are several SYN - SYN_ACK transitions, which result in a large number of half-opened connections. However, the SYN - SYN-ACK - ACK state transition is not completed. We study these transitions using n-gram analysis and a sliding timewindow to detect any attacks that are based on using TCP protocol as soon as they occur [5]. In our system, we generate n-grams by time period using sliding windows of length n over a stream of packets, and collecting the sequences of TCP flags for each networkconnection. Analysis of the state transitions that occur during a given time period allows us to accurately detect any type of

TCP protocol attacks.

The sequences of TCP flags for every connection within a specified time period are then framed into higher order ngrams. This allows us to examine the TCP state transitions for each connection at different granularities. By using different window sizes, as well as varying the n-gram length, it is possible to detect very fast or slow-occurring transition violations. For further information about our approach, please refer to published papers [6-7]. Similar technique can be used to detect attacks targeting DNP3 protocol. Instead of monitoring the TCP flag, the DNP3 function of requests is monitored. Let RST denote the warm restart function in the DNP3 request and RD denotes the read function in the DNP3 request. Just like in TCP, the analysis is performed over a predefined time window tw. Monitoring the communications between two devices within the time windows tw, the request patterns (5-gram pattern) such RDRD RD-RD-RD or RD-RD-RST-RD-RD can be considered as normal patterns. On the other hand, patterns such as RSTRST- RST-RST-RST are considered abnormal. During the DNP 3RestartWarm attack, our behavior analysis engine will observe many RD-RD-RST-RD-RD patterns within a given window and thus will be able to detect such an attack similar to our successful approach to analyze TCP protocol transitions.

IV. Scada Security Analysis And Evaluation: Testbed:

The main objective of the TASSCS is to test and evaluate the effectiveness of our Autonomic Software Protection System (ASPS) techniques against a wide range of attacks on SCADA resources and services (e.g., Human Machine

Interface (HMI). The main components of any SCADA system are shwon in Figure 1.

The main components of the TASSCS testbed

* Control HQ: This component represents the main command and control for all the resources and services offered by the simulation's models (power distribution & control grids. We are currently collaborating with the Raytheon Company and Tucson Electric Power (local electric utility) to use the ASPS to 1) present the data to the system operators or users, 2) control and manage all the grid resources, and 3) provide data storage capabilities to store historical data and remote sensor data.

WAN: This is a large scale wide area network with thousands of simulated sensor devices including

Programmable Logic Units (PLUs), Intelligent Device Units (IDUs) and Remote Terminal Units (RTUs) that are usually used to provide sensor data to the SCADA system and also execute control functions at their location sites.

Large Scale Electrical Grid:

This component represents the electrical grid that is controlled and managed by SCADA system. This component will be used to demonstrate the effectiveness of our ASPS solutions to stop attacks on SCADA systems and minimize their impact on the operation of the electrical grid. This will give us realistic data about the performance and the effectiveness of ASPS protection actions against attacks on the electrical grid resources.

ASPS Anomaly Behavior Analysis Approach:

The Autonomic Network Defense (AND) system [8], Autonomia: Autonomic Control andn Management Environment [7], and AppFlow [8] will be the main modules to be integrated to implement the ASPS. ASPS can be used to secure and protect the control functions and operations of a typical SCADA software system.

The Modbus protocol will be used for the ommunication and interfacing between the different testbed control system elements. Figure 2 shows the main components that are used to implement the TASSCS that represents a typical SCADA system with demilitarized zone to separate the corporate network and Internet from the process control network. In what follow, we describe our approach to implement the TASSCS components.

A. SCADA System Netwroks (Utilities and information)

As shown in Figure 2, the TASSCS consists of three zones:

1) Process Control Zone:

The process control zone provides the main control and management services and functions for the SCADA system. Typically, it consists of the following units: The SCADA Human Machine Interface (HMI) (MODBUS client). This module is in the command and control center.

2) Electrical Grid:

The PowerWorld simulation tool [9] is a commercially available application for simulating the operations of large scale power distribution systems. It is a flexible and useful tool to simulate and solve for system states and contingency analysis. The features that PowerWorld offers are the following:

* ** Simulate power distribution networks:

* ** Buses (up to 100,000 bus)

* ** Transformers

* ** Transmission lines

* ** Generators

* ** Loads

* Power flow analysis and voltage Control

* Visualization of power flow problem

* Contingency analysis and solving contingency problems automatically or by predetermined action.

* Solving power flows after any modification (adding a load, turn off a switch...) Cost analysis

1. Study the economic benefit of adding a new power source for example by defining the starting values for the cost per unit.

2. Calculate the new costs after any load changes (increasing or decreasing)

The PowerWorld tools will be used to simulate the impacts of cyber attacks on the operations of the electrical grid and also will be used to show how the ASPS appliance to secure and protect the electrical grid operations against these attacks. Figure 3 shows the PowerWorld model of the Biosphere 2 electric grid at the University of Arizona.

3) PLC Simulation (MODBUS Server):

We are using Modbus RSim for simulating the Modbus server [10]. The Modbus simulator is interfaced with the power world server using SimAuto application from the PowerWorld Company. The status of lines, bus, transformers, and generators are stored as Modbus register values. Modifying these register values, makes the corresponding changes to the grid unit. The Modbus simulator is connected to the network simulator (OPNET) and listens on port 502 for incoming requests. When a packet is received, it is validated for the correct format according to the Modbus protocol. Then the read function gets the register value, packages the result in a Modbus TCP format and sends it back to the control HQ through OPNET. The write functions trigger a corresponding change in Power World parameters and all affected Modbus registers are changed.

4) Process Control Network:

The TASSCS OPNET Modeler simulates the large scale wide area network. We use the system-in-the-loop (SITL) module of OPNET to connect to the control HQ and also the Modbus server. These two modules communicate over the simulator network in real-time using Modbus over TCP/IP protocol. The simulator also provides statistics and information about the traffic. The TCP network connecting the control center to the PLC/RTU server can be used to gain access to the SCADA system and launch attacks. Some of the common types of attacks on TCP networks are:

Spoofing (Replay attack):

In this form of attack, captured data from the control/HMI is modified to instantiate activity by the device controller. Captured data reflecting normal operations in the Control Center is played back to the operator. This causes the operator's HMI to appear normal and consequently the attack will not be observed or recognized. During this attack, the adversary continues to send commands to the controller and/or field devices causing undesirable events while the operator remains unaware of the true state of the system

Communications hijacking (or man-in-the-middle):

This involves intercepting communications between components (slave or master) and sending false messages to the MODBUS slave or master by changing the MODBUS packet addresses. This can be used to perform illegal read/write of data to the MODBUS server, disable MODBUS server or client, or restart the MODBUS server etc. Since illegal writes control the power grid component states, a complete shutdown of a section of the grid is possible

5) Demilitarized Zone (DMZ):

The historian server is connected to the Process Control Zone (PCZ) through a firewall. The server communicates with the MODBUS server to obtain information about the PCZ and stores it in a database. It responds to requests from the corporate zone.

6) Corporate Zone:

The business network forms the corporate zone. The clients on this network communicate with the DMZ through a firewall. This network has no direct access to the PCZ. All external access from the internet goes through two firewalls in order to provide defense in depth and thus improves the system security.

B. Attack Scenarios:

Since the SCADA system described uses MODBUS protocol over TCP/IP, it is susceptible to not only generic network attacks and TCP attacks but also attacks targeting the MODBUS protocol.

1. MODBUS Attacks:

Some of the common MODBUS protocol based attacks are:

* Denial of Service by issuing commands

* to restart the server

* to set the server in listen only mode

* to disable the server

* with illegal packet size

* Illegal commands sent from a compromised HMI

* Send command to shutdown the utility network

* Send command to clear register values

* Man in the middle attack

* Gain unauthorized access to data

* Spoofing the communication between HMI and the

MODBUS Server to send attacks to either device

Send server busy exceptions to the HMI

2. TCP Attacks

TCP SYN flooding attack

TCP ACK flooding attack

C. MODBUS Behavior Analysis:

The ASPS anomaly behavior analysis agent will have two modules--MODBUS Analyzer and TCP Analyzer. The ASPS MODBUS Analyzer will monitor all MODBUS requests from the HMI into the process control zone as well as the responses to the HMI from the MODBUS server. Based on predefined policies, the action module either allows the MODBUS request/response packet to go through or drops it. Hence the ASPS module is placed in-band and the action module acts as a firewall. MODBUS allows communication between many devices connected to the same network. For example, temperature and humidity sensors (IEDs) may use MODBUS to communicate to each other and the SCADA.

In recent years, the prevalence of TCP/IP networks (e.g. the Internet, etc.) and the availability of inexpensive industrial equipment which support the TCP/IP protocol have enticed many critical infrastructure operators to use TCP/IP communications for control networks. The legacy Modbus Serial protocol has been implemented over TCP/IP as shown in Figure 4.

The Modbus over TCP/IP uses TCP port 502 to connect the client and server. When a client communicates with a server, it will first check to see if there is any open connection with the server. If a connection is open it will send a request and will wait to receive a response. If a connection is not open, it will establish a TCP connection before sending the request. This simple client-server protocol uses the request-response mechanism to read or write to remote device's data registers. The format of these requests/responses over TCP/IP are shown in Figure 5.

Each Modbus ADU (Application Date Unit) is composed of a Modbus header (MBAP Header) and a Payload Data Unit (PDU). The fields of the header are shown in Table 1. The Payload consists of a function code and the data.

The ASPS Modbus Analyzer is a model-based system. Based on the Modbus application protocol specification and TCP implementation guide, a model characterizing the normal behavior of Modbus requests and responses is built. This is a generic model characterizing the expected behavior of any Modbus communication. A more accurate model may be built if specialized communication data for the system under consideration is available. This can be accomplished by training the system to incorporate only a subset of the allowed requests and responses. Two kinds of models are considered here: rule-based model and temporal based model.

D. SCADA Human Machine Interface (HMI)(Modbus Client):

This module is the command and control center. The HMI is a graphical user interface to control and manage the grid resources. The commands include read bus line status, read transformer status, read/change magnitude and phase angle of the bus have been implemented. The HMI also displays the response received from the Modbus server. Historical data is stored in a database.

This module reads the command from the user interface and encapsulates the Modbus Protocol Data Unit (PDU) in a Modbus TCP/IP Application Data Unit (ADU) that will be sent to the Modbus server. It then waits for a response from the Modbus server. The Modbus ADU received in response can be processed to extract the PDU which is then displayed to the user. Figure 6 shows the HMI we created for the testbed developed in the Autonomic Computing Lab (ACL) in the University of Arizona.

V. Tasscs Attack Scenarios:

This section presents two possible attack scenarios; (i) a compromised HMI; and (ii) a denial of service (DoS) attack.

A. Compromised HMI Attack Description:

In the compromised HMI scenario we assume that the attacker has compromised the HMI and consequently, he/she has full control of the SCADA system. This enables the attackers to force a complete network blackout by turning off the main switch. . In the current implementation of the ASPS in TASSCA, all the interactions with the SCADA system will be analyzed by ASPS and according to its normal behavior model, this command will be immediately blocked by ASPS because of the severe consequence of its execution.

B. DoS Attack Description In the denial of service (DoS) attack, the attacker overloads the system and floods the network (NMap was used to launch the flooding attack). The OPNET simulation shows the increase in received packets after launching the flooding attack as shown in Figure 7. The operator (HMI) detects the system overload and tries to launch a contingency plan but the flooding attack will prevent the execution of the contingency plan. That means, the "reduce-load" command is lost, and the system overload is not corrected, which causes equipment failure and potential physical damage. The ASPS will monitor the current state of a set of applications and system software. The sudden rise in the number of packets will be significantly different from the normal behavior registered in the ASPS data base and consequently, the ASPS will shut down the port used to launch the flooding attacks and that will enable the "reduce-load" command to reach the appropriate switches and thus fix the problem. We are currently developing more attack scenarios that can be detected by ASPS and will use the TASSCS to evaluate the detection rates, false alarms and effectiveness of the recovery techniques on the normal operations of SCADA systems and their services.


In this paper, we presented a testbed to support the experimentation and evaluation of cyber attack detection and recovery techniques for SCADA based control systems.. We have used simulation and emulation and hardware in the loop to implement the TASSCS components. We have also presented preliminary results that show how the ASPS can be used to detect and minimize the impacts of DoS and compromised HMI attacks. We are currently expanding the attack libraries to include more attacks, and add to more industrial control system communications protocols (e.g., DNP).


[1.] Shane Harris, 2008. "China's Cyber-Militia--Chinese hackers pose a clear and present danger to U.S. government networks and may be responsible for two major U.S. power blackouts,"


[3.] IEEE Standard for Electric Power Systems Communications--Distributed Network Protocol (DNP3)

[4.] Steven Cheung et al. 2006. "Using Model-based Intrusion Detection for SCADA Networks", Computer Science Laboratory, SRI International.

[5.] Youssif Al-Nashif, Aarthi Arun Kumar, Salim Hariri, Guangzhi Qu, Yi Luo, Ferenc Szidarovsky, 2008. Multi-Level Intrusion Detection System (MLIDS), International Conference on Automonic Computing.

[6.] Hariri, S., G. Qu, H. Chen, Y. Al-Nashif, M. Yousif, 2007. "Autonomic Network Security Management: Design and Evaluation", ACM Transactions on Autonomous and Adaptive Systems--Special Issue on Adaptive Learning in Autonomic Communication.

[7.] Youssif Al-Nashif, Guangzhi Qu, Huoping Chen, Salim Hariri and Aarthi Arun Kumar, Autonomic network defense (and) system: Design and analysis. Submitted to IEEE Transaction of dependable and secure computing.

[8.] Byoung Uk Kim, Youssif Al-Nashif, Samer Fayssal, Salim Hariri, Mazin Yousif: Anomaly-based Fault Detection in Pervasive Computing System



[11.] "MODBUS 2006. Messaging on TCP/IP Implementation Guide V1.0b.

(1) V. Rajinikanth and (2) Dr. S. Dharmalingam

(1) Assistant prof/ECE, Adhi College of Engineering and Technology, kanchipuram--631605

(2) Dean, Rathinam Technical Campus, Coimbatore.

Received 7 June 2016; Accepted 12 October 2016; Available 20 October 2016

Address For Correspondence:

V. Rajinikanth, Assistant prof/ECE, Adhi College of Engineering and Technology, kanchipuram--631605

Caption: Fig. 2: SCADA Testbed

Caption: Fig. 3: Power World Simulation

Caption: Fig. 4: Modbus Over TCP/IP [11]

Caption: Fig. 5: Modbus Message Format Over TCP/IP

Caption: Fig. 6: HMI simulation software.

Caption: Fig. 7: OPNET simulation results
Table 1: Modbus Header [11]

Fields        Length    Description-

Transaction   2 Bytes   Identification
Identifier                of a MODBUS
Protocol      2 Bytes   0 = MODBUS
Identifier                protocol

Length        2 Bytes   Number of

Unit          1 Byte    Identification
Identifier                of a remote
                          connected on
                          a serial
                          line or on
                          other buses.

Fields        Client        Server

Transaction   Initialized   Recopied by the
Identifier      by the        server from
                client        the received

Protocol      Initialized   Recopied by the
Identifier      by the        server from
                client        the received
Length        Initialized   Initialized by
                by the        the server
                client        (Response)
Unit          Initialized   Recopied by the
Identifier      by the        server from
                client        the received
COPYRIGHT 2016 American-Eurasian Network for Scientific Information
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2016 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Rajinikanth, V.; Dharmalingam, S.
Publication:Advances in Natural and Applied Sciences
Article Type:Report
Date:Sep 15, 2016
Previous Article:Improving power quality using thyristor controlled series capacitor.
Next Article:Detecting high level system problems by analyzing the error logs using spark.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters