This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no. 607109
Security for smart Electricity GRIDs
Intrusion Tolerant SCADAAndré Nogueira, Alysson Bessani, Nuno Neves
Faculty of Sciences of the Univ. of Lisboa (FFCUL)
2
Show how an attacker can corrupt the execution of a critical infrastructure by compromising the SCADA Master server
Show a more resilient SCADA solution, where the SCADA Master maintains system correctness in the presence of intrusions
Goal: Demonstrate a SCADA system capable of tolerating intrusions
3
Simplified SCADA system
PrimarySubstations WAN (Fiber Optics,
Cellular, Radio, …)
EdgeSwitch/router
FANRemoteTerminal
Unit (RTU)Field devices
Stores gathered data (values, alarms & events)
Control Center
ArchiveServer
SCADAMaster ServerHMI
Periodically polls the RTUs and maintains a real-time database containing their current state, and sends supervisory control commands to the RTUs
Frontend
Periodically queries the SCADA Master Server so that the state of the system can be graphically displayed for a human operator
Translates communication protocolsCommunicate with, and
aggregate data from, local sensors/actuators in the field
Renewableenergysubstation
4
The Frontend manages two items, representing the devices connected to a RTU• Sensor: thermometer• Actuator: turbine
HMIMasterSCADA server
RTU
Frontend
• Show wrong data to human operator
• Issue invalid commands
Demo scenario
5
The prototype and
experimental environment
6
System based on the Eclipse SCADA open source projectEclipse SCADA provides a modular “construction kit” to create a custom SCADAIBH SYSTEMS GmbH is the leading contributorIn production for instance at: E.ON solar plants
OMV business processes
Prototype
7
EclipseSCADA: Components
SCADA MasterFrontend
ItemItemItem
DADA
ServerItem
HMI
ItemItemItemItemAE
DADA
Client
AEClient
DAClient
DAServer
AEServer
Handlers
Storage
ItemItemItemItem
Represents a single value provided by a device (it may contain attributes)
Maps the frontend’s items
Provides additional functionalities to items (Scale, Block, Monitor,…)
Records events related with items
Maps the master’s items
8
Eclipse SCADA & Emulated RTU Items
Experimental Environment
FrontendMaster
HMI
9
Demonstration
10
1. Interact with RTU items using Eclipse SCADA
2. Impact of an intrusion in the SCADA Master
3. Interact with RTU items using intrusion-tolerant Eclipse SCADA
4. Impact of an intrusion in a SCADA Master replica
Demonstration: 4 Steps
11
1. Interact with RTU items using Eclipse SCADA
2. Impact of an intrusion in the SCADA Master
3. Interact with RTU items using intrusion-tolerant Eclipse SCADA
4. Impact of an intrusion in one SCADA Master replica
Demonstration: 4 Steps
12
Simulate temperature updates in thermometer item
Simulate switch on/off commands in turbine item
Setup an alarm that goes off if the temperature reaches a threshold value
Use cases
13
Thermometer Item use case
Frontend Master HMI
Item update Item update
14
Turbine Item use case
Write result
Frontend Master HMI
Write item
Write result
Write item
15
Demo
Frontend HMI
19
1. Interact with RTU items using Eclipse SCADA
2. Impact of an intrusion in the SCADA Master
3. Interact with RTU items using intrusion-tolerant Eclipse SCADA
4. Impact of an intrusion in one SCADA Master replica
Demonstration: 4 Steps
20
An attacker gains access to the Master
Modify data exchanged between the Frontend and the HMI
Attack scenario
21
Thermometer Item use case
Item Update Item Update
Frontend Master HMI
22
Turbine Item use case
Write result
Frontend Master HMI
Write item
Write result
Write item
23
Demo
Frontend HMI
Attacker
26
1. Interact with RTU items using Eclipse SCADA
2. Impact of an intrusion in the SCADA Master
3. Interact with RTU items using intrusion-tolerant Eclipse SCADA
4. Impact of an intrusion in one SCADA Master replica
Demonstration: 4 Steps
27
Intrusion-tolerant Eclipse SCADAModified Eclipse SCADA to support the replication of the SCADA Master
Integrated a Byzantine fault-tolerant state machine replication library developed in Java, called BFT-SCADA
Explores results from other European projects involved in the development of the BFT-SMART library: Massif, Tclouds, Supercloud
Prototype
28
1. Every client request is processed by a group ofservers
2. Servers must execute the samesequence of requests
3. The client infer the correct resultof a request from the majority ofthe answers
Servers coordinate to decide the order of request processingServers should run diverse softw/hardwWeakest possible failure assumption
n= 3f+1 ( f=1, n=4)
How does BFT-SMART work?
Client
Servers
Req(a)
Req(a) 1
1 11 0
29
Eclipse SCADA is a framework and not a ready-to-use solutionReasonably large project size• more than 500 sub-projects 6100 Java files (900.000 LOC)
Poor software documentation• source code
• use cases examples
Eclipse SCADA integration challenges
30
Multiple I/O channels
Concurrency through multiple threadsAsynchronous messagesNon-deterministic actions (e.g., get timestamps)Performance
Eclipse SCADA integration challenges (cont)
Frontend
ServerProxy BFT
Client
Master
Client ServerProxy BFT
Server
HMI
ClientProxy BFT
Client
Item Update Write Item
31
Frontend HMI
Proxy BFTServer
Proxy BFTServer
Proxy BFTServer
Proxy BFTServer
Byzantine Consensus
Intrusion tolerant operation
Proxy BFTClient Proxy BFT
Client
Masters
32
Frontend HMI
Proxy BFTServer
Proxy BFTServer
Proxy BFTServer
Proxy BFTServer
Byzantine Consensus
Thermometer Item use case
Proxy BFTClient Proxy BFT
Client
Item Update Item Update
Masters
33
Frontend HMI
Proxy BFTServer
Proxy BFTServer
Proxy BFTServer
Proxy BFTServer
Turbine Item use case
Proxy BFTClient Proxy BFT
Client
Masters
Write Result
Write Item
Write Result
Write ItemByzantine ConsensusByzantine Consensus
34
Demo
Frontend HMI
38
1. Interact with RTU items using Eclipse SCADA
2. Impact of an intrusion in the SCADA Master
3. Interact with RTU items using intrusion-tolerant Eclipse SCADA
4. Impact of an intrusion in a SCADA Master replica
The Demonstration: 4 Steps
39
An attacker gains access to one of the Master replicas
Modifies data exchanged between the Frontend and the HMI
Attack scenario
40
Frontend HMI
Proxy BFTServer
Proxy BFTServer
Proxy BFTServer
Proxy BFTServer
Byzantine Consensus
Thermometer Item use case
Proxy BFTClient Proxy BFT
Client
Item Update Item Update
Masters
41
Frontend HMI
Proxy BFTServer
Proxy BFTServer
Proxy BFTServer
Proxy BFTServer
Turbine Item use case
Proxy BFTClient Proxy BFT
Client
Masters
Write Result
Write Item
Write Result
Write ItemByzantine ConsensusByzantine Consensus
42
Demo
Frontend HMI
Attacker
45
What happens when more than f replicas are compromised?
If 2 replicas are compromised, the system stops making progress, but does not do mistakes If 3 replicas are compromised, then a clever attacker can
make the system take incorrect actions
Byzantine fault-tolerant limitations
Intrusion-Tolerant SCADA
Web: http://segrid.euhttp://www.navigators.di.fc.ul.pt
Thank you! Any questions?
This was: