Copyright (c) 2008, All Rights Reserved. Iowa State University G. Manimaran & Chen-Ching LiuCPS-Energy Workshop-2009Page 1

SCADA control network

Vendor Personnel or

Site Engineers

Control Center Intranet

Substation Intranet

`

Modem

Other Intranets

Application Servers

IP: 10.0.1.1-5

SCADA Servers,

IP: 10.0.1.6-10

Database Servers,

IP: 10.0.1.11-15

` `

Corporate WAN

`

...IEDs

Data ConcentratorIP: 10.0.10.71

Frame Relay Network / Radiowave / Dedicated Line

Data ConcentratorIP: 10.0.10.70

EngineeringConsolesIP: 10.0.5.80-85

RouterIP: 10.0.5.102

User InterfacesIP: 10.0.1.30-40

Dispatcher Training SimulatorsIP: 10.0.1.50-55

User InterfacesIP: 10.0.10.1-3

Corporate WAN

GPS ReceiverIP: 10.0.0.10.55

Hackers

Remote Access Network through Dial-up, VPN, or

Wireless

Remote Access Connection through TCP/IP

Connection through DNP/Modbus Protocol

Router, 10.0.10.3

FirewallIP: 10.0.1.100

Firewall, IP: 10.0.1.101

Firewall, IP: 10.0.10.0

Wireless Hub, IP: 10.0.10.90

Modem

Modem

Application ServersIP: 10.0.5.150-155

FirewallIP: 10.0.5.101

Copyright (c) 2008, All Rights Reserved. Iowa State UniversityPage 2

Cyber-Security Threats to Power Grid

Internet-Based Attacks

Protocol Attacks

Intrusions

Worms / Trojan Horse /

Spyware

Routing Attacks

Denial of Service (DoS)

Copyright (c) 2008, All Rights Reserved. Iowa State UniversityPage 3

SCADA Network – Denial of service attack (model)

Controller Network Delay

Network Delay

Actuator

Sensor

Output

SubstationForward Delay

Backward Delay

Control Center

Reference

+

-

Schematic of SCADA System

Control Model of SCADA System

Control Center Network

Substation Automation Network

`

Application Servers

SCADA Servers,

Database Servers,

` `

...IEDs

Data Concentrator

User Interfaces

Dispatcher Training Simulators User

Interfaces

GPS ReceiverFirewall

Modem

Modem

Firewall

WAN

Router

RouterRouter

RouterRouter

Router

Latency increase impact the real-time operation of the system

Copyright (c) 2008, All Rights Reserved. Iowa State University G. Manimaran & Chen-Ching LiuCPS-Energy Workshop-2009Page 4

Cyber-Physical Risk Modeling & Mitigation Framework

Security Logs

System Event Logs

Gather information

Critical Alerts

System Health Messages

Physical AspectsCyber Aspects

File Integrity

Logs

Heterogeneous Correlation

Homogeneous Correlation

Correlate security event logs

Correlate system event logs

Correlate file integrity logs

Output Anomaly Detection

Correlate logs from Substations and Control

Center

Correlate the different type of logs from

control centers

Prevention Remedial

Decision Making

Suspend Suspicious Users

Change the Roles of User Privilege

Correct Voltage Problems

Relieve the Overloaded Lines

Cause Effect

What-If Scenarios?

Extract potential evidences

Formulate a hypotheses

Preventive /

Remedial Actions

Preventive / Remedial Actions

Preventive / Remedial Actions

Anomaly Detection

Real-Time Monitoring Responses

Impact Analysis

Copyright (c) 2008, All Rights Reserved. Iowa State UniversityPage 5

Research Challenges

Real-time temporal and spatial

correlations from substation level and

control center networks

Comprehensive validation using

analytical and simulation, and test bed evaluations for

directed and intelligent attacks

Integrated modeling of attacks and their impacts in terms of load loss, equipment damage, and economic loss

Relevant information from geographically dispersed substation network about potential suspicious activities, intrusions, in terms of severity

A Comprehensive vulnerability assessment framework includes