Tcipg.org 1 An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems Objectives/Problem Investigate a simple but effective attack to block legitimated.

tcipg.org 1

An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems

Objectives/Problem

• Investigate a simple but effective attack to block legitimated DNP3 traffic by overflowing the event buffer inside a data aggregator

• Implement the attack using real SCADA system in TCIPG lab

• Construct a DTMC model for understanding conditions under which the attack’s behavior

• Analysis and evaluated the attack using packet-based large-scale network simulation

Challenges

• How to effectively block the awareness in a typical DNP3 network by utilizing a low-end slave device?

• When is the buffer overflow attack an actual attack? Can it be applied to many real devices?

• What are the countermeasures?• How do we approach experimental design in the “security for power grid context”? What

are the metrics? How best do we explore the design space?

Relay

Data Aggregator

… …

…

Control Station

Typical SCADA architectures using DNP3 with a two level hierarchy

tcipg.org 2

An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems

Approach

• Set up a typical two-level hierarchy testbed with real SCADA devices communicating via DNP3 in TCIPG lab

• Conduct experiments on the data aggregators by sending user-controlled overly many unsolicited responses in order to overflow the event buffer in the data aggregator; therefore block the pending alerts from normal field devices.

• Construct an analytical model using DTMC and queueing theory

• Develop a Möbius model and evaluate reward functions such as rate at which legitimate alerts are lost, and the delay of alerts that survive the attack

• Develop a simulation model in packet-based network simulator, and evaluate its accuracy and performance in large scale

Results• Observed the buffer overflow attack in SEL3351 data aggregator. The data aggregator periodically polls two slave

devices. The compromised slave sends overly many false alerts via unsolicited response and successfully blocks the other device’s alert event. To conduct the same test cases on SEL1102 and SEL3354 once they are in the TCIPG labs.

• Developed a full-stack DNP3 protocol running on top of both TCP and UDP in a discrete-event simulator, PacketSim. The DNP3 protocol is composed of a master service and an outstation service, which is used to construct SCADA devices such as control station, data aggregator and relay. The DNP3 protocol in PacketSim currently supports polling, unsolicited response and control command, such as trip/close a relay.

μ Control Station Polling Rateλ1 Flooding Rate λ2 Data Aggregator Polling Rate

μ

λ1

λ2

`

`

Attacker

Normal Relay

tcipg.org3

An Alert Buffer Overflow Attack in DNP3 Controlled SCADA Systems

Plans for Next Year

• Assess other security vulnerabilities in DNP3

protocol and DNP3 devices • Evaluate the DNP3 Security Authentication

(DNP3 SA) protocol in terms of security and

performance• Further efforts developing SCADA protocols,

such as 61850, and devices models in large-

scale network simulator

Milestones

• Developed the full-stack DNP3 protocol in PacketSim, a discrete event network simulator

Planned Industry Interactions

• No industry interactions are currently planned

Planned Tesbted Activities

• Utilize the real device testbed and simulation platform in TCIPG lab to study cyber security issues in SCADA systems, including but not limited to(1) Mu Dynamics 8000 (Fuzz Testing)(2) Triangle Microworks test harness(3) PacketSim