TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG UNIVERSITY OF ILLINOIS | DARTMOUTH COLLEGE | UC DAVIS | WASHINGTON STATE UNIVERSITY FUNDING SUPPORT PROVIDED BY DOE-OE AND DHS S&T GOALS • Design is “physics-aware” Network Intrusion Detection System (NIDS) for process control. • Integrate NIDS cyber-physical state analytics within the process data historian in EMS. • Control environments include physical systems, switches, and control programs. • CONTROL: receive data from field devices process decide issue switching commands. • The combination of the safe operations of the protective schemes and the physical assets can be described by a Hybrid Automaton model. • Basic question: Can we use such models as the baseline for “safe” behavior and use any set of message and command that is inconsistent with that as the indication of an attack/anomaly? FUNDAMENTAL QUESTIONS/CHALLENGES • Validation of Hybrid Control NIDS (HC-NIDS). – We developed an experimental framework to test HC-NIDS that combines simulated physical and control environments interacting with actual logic controllers (Siemens PLC using Modbus TCP). • Integration with Data Management Services (OSIsoft case study). – We are collaborating with OSIsoft, one of the industry leaders in ICS data management systems, to implement inclusion of sensor tags for appropriately located network taps. – HC-NIDS rules are then implemented as analytics/queries of the OSIsoft database. RESEARCH PLAN BROADER IMPACT • Operators are made aware of Cyber-Physical State. FUTURE EFFORTS • Blind HC-NIDS: Learn the rules by analyzing traffic. • Integrate OSIsoft with Wireshark so that it can leverage the extensive literature. Cyber-Physical Data Analytics Based on “Hybrid Control” Network Intrusion Detection Georgia Koutsandria, Masood Parvania, Reinhard Gentz, Mehdi Jamei, Vishak Muthukumar Researchers: Masood Parvania, Sean Peisert, Chuck McParland, and Anna Scaglione Functional Security Enhancements for Existing SCADA Systems INTERACTION WITH OTHER PROJECTS • TCIPG Specification-based IDS for the DNP3 Protocol. • CEDS project with Lawrence Berkeley National Lab (LBNL). • Design methodology for Hybrid Control NIDS (HC-NIDS). – Each hybrid state corresponds to specific values for the switches and specific ranges for the current, voltage, temperature, etc. – Transitions between hybrid states are triggered by physical changes and commands. – Network packets, flowing between field devices and central controllers, should only produce “allowed” transitions and “allowed” hybrid states. – HC-NIDS continuously monitors and analyzes the network traffic exchanged by field devices that are used to activate the protection schemes. – HC-NIDS Rule generation commands and information exchanged must be consistent with the protection hybrid automaton model. 1. Simulink model: simulation of the physical application. 2. C MEX S-function: allows communication through the Modbus TCP protocol. 3. Emulation of the protection function in Ladder logic. Validation Testbed Example: Overcurrent Protection q 0 CB 1 =0 CB 2 =0 I<I p M =1 N< 1 q 1 CB 1 =0 CB 2 =0 I<I p M =0 S =1 N< 2 N =1 q 3 N =2 CB 1 =0 CB 2 =0 I<I p M =1 S =0 S =0 N< 3 CB 1 =0 CB 2 =0 I<I p M =0 S =1 q 5 M =1 N< 1 M =0 S =1 N< 2 N =1 N =2 M =1 S =0 S =0 N< 3 M =0 S =1 q 6 q 7 q 2 N< 3& I<I p CB 1 =1 CB 1 =1 CB 1 =1 CB 1 =1 CB 2 =1 CB 2 =1 CB 2 =1 CB 2 =1 I =0 I =0 I =0 I =0 N< 3& I =0 q 4 N< 4 N< 4 N = 3& I ≥ I p N = 3& I<I p N = 3& I =0 N = 3&0 <I<I p N =4/ r eset N =4/ r eset Simulink model Hybrid Automaton ."."." ."."." Injected network traffic Normal network traffic Normal network traffic Normal network traffic Normal network traffic • The different data items of the different controllers have different colors. • Source ID/Destination ID, function code, register, and value range (set) are different. • The normal sequence is green- light green-blue-turquoise. • Red packets are not part of it, so they are anomalies. Arrows indicate phenomena that can be identified as attacks, since the switches’ state (CB) and current are not in the right combination. Cyber-Physical Analytics Network tap HC-NIDS values Cyber-Physical Process Control Data Analytics Physical values Historian RESEARCH RESULTS (CON’T) RESEARCH RESULTS