attack resilient cyber‐physical systems for industrial...

Centre for Development of Advanced ComputingCentre for Development of Advanced Computing

Attack Resilient Cyber‐Physical Systems for Industrial Automation & Control

By

Dr. S. Rominus ValsalamAssociate Director & Head

Control & Instrumentation GroupCentre for Development of Advanced Computing (CDAC)

(A Scientific Society of the Ministry of Communications and Information Technology, Govt. of India)Vellayambalamm, Thiruvananthapuram - 695 033, Kerala, India.

IEEE Symposium on “Frontiers of Technology: Fuelling Prosperity of Planet and People”

September 10 – 11, 2015

Changing Horizons of Automation & Control Technology

RelayI/O Modules

Hardware Based (Dumb)

Software-Based (Execute via Command)

Learning System

ProgrammableControls

HolonicControl System

Biological Systems“Life Forms”

ReasoningCompetition

AutonomyCo-operationIntelligence

Artificial IntelligenceRule Based / Neural

Virtual Environment Before Real-World

Realization

Global ClimateProtection

Digital Factory

Climate Models

Centre for Development of Advanced Computing

IMPORTANCE OF PLANT MODELS

Process

Black BoxSet

point

+ -

Steady State ErrorSet

point

Time

Controlled VariableCONVENTIONAL CONTROL SYSTEM

Controller ProcessSensor

+ -

Sens

or

Estim

ate

Proc

ess

Envi

ronm

ent

Adapt

Set point

Steady State Error

Time

Set point

Manipulated Variable

ADVANCED CONTROL SYSTEM

ProcessController

Estimate Measurement

Understand and Adapt

PROCESS MODEL

ESTIMATOR

MODELLING AND CONTROL


MISREPORTS

CONFIGURATOR

MACHINE

INTELLIGENCE

Control System

Configurator

ADVANCED CONTROL &

DSP ALGORITHMS

MODELLING & OPTIMIZATION

TOOLS

OPERATOR

CONSOLE

REAL TIME SCHEDULER

BATTER

Y

SENSOR / ACTUATOR NETWORKWIRED WIRELESS

COMMUNICATION SYSTEM CONFIGURATOR

GENERAL PURPOSE

CONTROLLER

LOW POWER CONTROLLER

HISTORIC

DATABASE

HMISimulation

Platform

DEVICE

LEVEL

CONTROL

LEVEL

REPOSITORY

LEVEL

INFORMATION

& DECISION LEVEL

WIRELESS COMMUNICATIONVSAT

ALARM

MANAGEMENT

INTELLIGENT OPERATOR GUIDANCE

REPOSITORY MACHINE

REAL TIME DISTRIBUTED

DATABASE

ERPCRM

SINGLE BOARD

CONTROLLER

LEARNINGLEARNING&&

CONTROLCONTROL

CONTROL CONTROL &&

SYSTEMSSYSTEMS

PERCEPTIONPERCEPTION

SYSTEMS SYSTEMS & &

LEARNINGLEARNING

OPERATOR

CONSOLE

MIS SERVER

ARCHITECTURE OF NEXT GENERATION AUTOMATION & CONTROL SYSTEM

Automation Products

OVERVIEW OF SCADA SYSTEM FOR A CHAIN OFHYDEL POWER STATIONS

PHANSIDEWA(Administrative Building)

SERVER

UNIT-1 UNIT-2 UNIT-3

CONTROL NET

ETHERNET

OPERATOR CONSOLES

PS-I SCADA SYSTEM PS-II SCADA SYSTEM PS-III SCADA SYSTEM

RADIO LINK

2.4 TO 2.5 GHz

NETWORK1 NETWORK2

SERVER OPERATOR CONSOLES

NETWORK1 NETWORK2

SERVER OPERATOR CONSOLES

2.4 TO 2.5 GHz 2.4 TO 2.5 GHz


FUZZY LOGICINTELLIGENT DECISION SYSTEM

SIEMENS System

Server

Console

RTU 1

RTU 2

OPC Server

CDAC System

Siemens 417 –4H

Controllers

Reinforces Setpoints

OPERATOR

Rotary Kiln

Durag Camera

Kiln

Pro

cess

Siemens Panel

Optimized Setpoints

Rs, Cs & Ps

Field I/Os( ~3000 nos.)

Kiln Optimization Workstation

Preheater Fan

Raw Meal Feeder

PID Controller

PID Controller

PID Controller

Coal Feeder

Secondary Air

Cyclones

M

Cement Plant Rotary Kiln Control Optimization System

Raw Meal Pre heater fan

Coal feed

DA

S R

oom

K

iln C

ontr

ol R

oom

M

OPCRaw Meal Feed RatePreheater fan speedCoal Feed RateKiln SpeedBack-end TempCO ContentBurning Zone TempKiln Ampere …. Bur

ning

zon

e im

ages

PCS 7

Cs Rs Ps

Schenk Controller

IPA ControllerIPA Controllers

Complex Measurement of Crystal Size in Sugar Industry ‐

Through Image Processing

Spreading brushPneumatic cylinder

VacuumPan

Cleaningbrush

Slots forSample

6mm thick glass

Smartcamera

Spray Water Nozzle

Solenoid valve

Solenoid valve

Reject sample

Raw Water supply

Air supply

Display UnitDisplay Unit

Solenoid valve

Control & Instrumentation Group IIPTeC - Sugar Crystal Size Characterization

Control unitControl unit


Energy Crisis


Control Problems in Solar Power Plants

Behaviour of Cyber – Physical System in Modern Solar Power Plants and Control Problems

Cloud based SCADA offers Alternatives to Traditional Systems

Service provider purchases and maintains a shared pool of configurable computing devices

Networks Servers Storage Applications Services

Water and waste water industry access these resources via the internet

They pay for the Capacity used

H/W & S/W purchase Installation Maintenance System upgrade

Cloud SCADA limits the need for


Need for Industrial Control System Security

LEAKAGE DETECTION SYSTEM

SERVER OPERATOR CONSOLE 2OPERATOR CONSOLE 1

SIMULATION‐DRIVEN

OPTIMIZATION SYSTEM

CHEMICAL ADDITION OPTIMIZTION

SYSTEM

Security Gateway 1Security

Gateway 1

iInputs/control commands

FIELD I/Os


Gateway 2

Wireless SecurityManager

Wireless NetworkManager

Backbone Router/ Base station


WFD

Wireless IDS

Intrusion Detection Analysis System

Inputs/control commands

Secured Automation System with Cloud Architecture

CloudCloud

Attack Resilient Process

Controller


Controller


Controller


Comparison of security requirement for general Information Systems and Automation and Control Systems

16

Sl.

No.

Security Requirement General Information

Systems

Automation and control

systems

1. Primary subject for

protection

Information Physical process/plant

2. Primary risk impact Information disclosure,

financial

Safety, health,

environment, financial

3. Security focus Central server security Control device stability

4. Availability 95 – 99% 99.9 – 99.999…%

5. Determinism Hours to months Milliseconds to hours

6. Operating environment Interactive,

transactional

Interactive, real-time

7. Problem response Reboot Fault tolerance, on-line

repair and restoration


Power and Energy System Control Applications and Cyber – Physical System Security Needs

17

FACTS - Flexible Alternating Current Transmission System


Need for CyberPhysical System Security

19

Security Issues in ICS

Adoption of standardized protocols and open technologies with known vulnerabilities

Connectivity of the control systems to other networks/Internet

Insecure and rogue connections

Widespread availability of technical information about control systems

Use of standard OS like Windows


ICS Security incidents

Incidents of cyber‐security nature that directly affected Industrial Control Systems and processes

Statistics

No.

of i

ncid

ents


Electric terrorism: grid component targets, 1994–2004 (source: Journal of Energy Security). IEEE P&E Magazine, Jan/Feb 2012


Percentage of critical infrastructure enterprise executives reporting large-scale DDoS attacks and their frequency (source: McAfee) – IEEE P&E Magazine, Jan/Feb 2012


Security Incidents on SCADA SystemsSiberian Pipeline Explosion (1982) - TrojanChevron Emergency Alert System (1992) – User CompromiseSalt River Project (1994) – TrojanWorcester, MA Airport (1997) – Root Compromise & Denial of ServiceGazprom (1999) – User Compromise & TrojanCalifornia System Operator (2001) – Root CompromiseDavis-Besse Nuclear Power Plant (2003) – WormCSX Corporation (2003) – VirusTehama Colusa Canal Authority (2007) – Misuse of ResourcesStuxnet (2010) – Worm, Root Compromise, TrojanNight Dragon (2011) - Social Engineering, User Compromise, Root CompromiseDUQU (2011) - VirusFlame (2012) – Worm Contd…..


Russian‐Based Dragonfly Group Attacks Energy Industry (2014) ‐ Power and Utilities United StatesU‐2 spy plane caused widespread shutdown of U.S. flights: report (2014) ‐ Transportation United StatesAfter ‘Godzilla Attack!’ U.S. warns about traffic‐sign hackers (2014) ‐ Transportation United States Public utility compromised after brute‐force hack attack, says Homeland Security (2014) ‐ Power and Utilities United States

RCICSS 24


Worcester Air Traffic Communications (March 1997)Disabled part of the PSTN using a dial-up modem - airport control and communication system affected, radio transmitter that activates runway lights were shut down

Maroochy Shire Sewage Spill (2000)Using a radio transmitter, the control system for sewage pumping station was interrupted on 46 occasions causing malfunctions resulting in the release of about 264,000 gallons of raw sewage into nearby rivers and parks

Northeast Power Blackout (August 2003)Failure of the alarm processor in the SCADA system prevented control room operators from having adequate situational awareness of critical operational changes to the electrical grid, leading to an uncontrolled cascading failure of the grid. A total of 61,800 MW load was lost as 508 generating units at 265 power plants tripped.

Stuxnet Worm ( 2010, 2012)Latest widely published cyber attack on ICS. The objective was to corrupt Siemens PLC function by rewriting parts of the code and turning it into the attacker’s agent. Target was nuclear power plants, power grids.On 25 December 2012, an Iranian semi-official news agency announced there was a cyberattack by Stuxnet on the industries in the southern area of Iran.

SCADA Security Incidents ‐ Examples

RCICSS 25


How STUXNET Worked

RCICSS 26


Architectural vulnerabilities• Weak separation between process network & field network• Lack of authentication among the active components

Security Policy vulnerabilities• Patch management policies • Anti virus update policies• Access policies

Software Vulnerabilities• Buffer overflows• SQL-injection• Format string• Web-application vulnerabilities

Communication Protocols Vulnerabilities in • DNP 3.0 (IP based)• IEC 870-part 5 101 profile• IEC 870 part 5 104 profile (IP based)• Inter Control Centre Protocol (ICCP, IP based)

Wireless vulnerabilitiesVulnerabilities in field devices with Ethernet interface– PLCs, RTUs, IEDs etc

SCADA Vulnerabilities

RCICSS 27


SCADA aware Security gatewayFirewall – Modbus TCP, DNP3, ICCPIDS – Signature and behaviour anomaly basedBump‐in‐the‐wire

Secure SCADA ProtocolsSecurity Layer for ICCP TASE.2, MMS Protocol Layers Security Layer for IEC 61850 Protocol

Hardware/software hardened secure SCADARTU – OS Hardening, Role based access control, data authenticationDACS (proprietary) protocol – Challenge / ResponseSCADA/HMI ‐ Role based access control, Biometric authentication, control data encryption, SCADA configuration hardening Security hardened WSN – IEC 62591 (WirelessHART)

R&D Initiatives of CDACDevelopment of Building Blocks

RCICSS 28


Attack resilient control algorithms• Robust networked control• State controller ‐ Robust Kalman Filter with Bernoulli Loss Model• H∞ Control ‐ system with unpredictable structural changes• Fault‐Tolerant control using data fusion and state observer• Power System Simulation, Collocation and Control• State Estimation

End point security framework in SCADA• Whitelist framework for SCADA security with Application control,Network Access Control, USB mass storage device and USB communication device control for Windows and Linux based end points

• Mobile security solution with application aware firewall, anti malware and Offline mobile application analyser features for Android based mobiles

Development of Building Blocks

RCICSS 29



RCICSS 30

Security Testing Tools• Attack simulators

SCADA malware DoS (APT) Scenario SCADA unauthorized command execution scenarioSCADA System Data Poisoning

• SCADA protocol fuzzers – Modbus TCP, DNP3, ICCP

SCADA Forensics and Incident Response tools• Forensics acquisition and analysis of

Computers on a SCADA networkRTU/PLC Intelligent field devices



RCICSS 31

Security tools for Wireless Field Devices• Wireless Security Analyser and Detector

• Wireless Security Analysis system – IEC 62591 (WirelessHART)• Intrusion Detection System

Attack modelling framework & tool• Fault Tree Analysis (FTA)• Attack Trees• Petri Nets

Monitoring and Management tools for Risk AssessmentAuditing tool based on SCAP protocol


SCADA AWARE SECURITY GATEWAYSCADA AWARE SECURITY GATEWAY

Network Intrusion Detection System

SCADA AWARE FIREWALL

SCADA AWARE SECURITY GATEWAY

INTERNAL ROUTER OR SWITCH

CONTROL NETWORK

PLC RTU

. . . . .

INTERNET

INTERNAL ROUTER OR SWITCH

ENTERPRISE NETWORK

. . .


Secure RTU Architecture

AO

SENSORS AND ACTUATORS

DOAIDI

CPU with Hardened LINUX OS

ServerConsole 1 Console 2

PoliciesRBAC

Data IntegritySecurity Enhanced

SCADA Protocol with Challenge

ResponseAuthentication

NW Switch

RBAC – Role Based Access Control


Challenge / Response Authentication for RTU Master Communication

If H! = HASH (N|S)Reset Connection


Operating System Hardening

SELinux (Security Enhanced Linux) provides enhanced securityA set of kernel modifications and user‐space tools that can be added using LSM ( Linux Security Modules)Configurable policy engine supporting:

Type Enforcement (TE), Role Based Access Control (RBAC)Type Enforcement (TE) is the mechanism that actually determines if a particular operation is permittedThe Type Enforcement technology feature of the operating system provides strong separation of:

The operating system from applicationsApplications from each other


• Enrich the web based SCADA application with strong security features User authentication with role based access Use of strong multi‐factor user authentication via biometric interfaces and

strong passwords Improved Web Application Security by the use of secure data transfer between

server and client using technologies like SSL Encryption of control data Secure configuration database using database encryption Use of electronic signatures Protocol hardening by using a secure SCADA protocol for communication with

the RTUDevelop ICCP Server and Client interfaces for the SCADA software

Security Hardened SCADA Software

36

BACK


Security Hardening of Wireless Sensor Network


To harden the existing wireless sensor network system for industrial automation developed under the ASTeC programme funded by DeitY.

Security in Wireless Sensor Network

Objectives

1. Design and Implementation of IEC 62591 (WirelessHART) standard based security features on Wireless Sensor Node.

2. Design and Implementation of IEC 62591 (WirelessHART) standard based security features on Backbone Router (Base Station).

3. Design & Development of Network Manger for the Wireless Sensor Network.

4. Design & Development of Security Manger for the Wireless Sensor Network.


WiSArD Architecture

Security in Wireless Sensor Network


Attack Resilient Control Algorithms


RESILIENT INDUSTRIAL CONTROL SYSTEM (RICS)

RCICSS 41

A Control System designed and operated s.t

• Incidence of undesirable incidents can be minimized

• Most of the undesirable incidents can be mitigated

• Adverse impacts of undesirable incidents can be

minimized

• It can recover normal operation in a short time


3 – Layer System Model

RCICSS 42


Resilience curve illustrating the Characteristics of Resilient ICS

43


ESTIMATING RESILINCE OF AN ICS

RCICSS 44

ESTIMATION METRICS (Incident )i

No performance degradation

System reaches performance bottom

System identifies incident

System recovers normal operation

Protection time

Degrading time

Identification time

Recovery time

Performance degradation

Performance loss

Total Financial loss

Potential Critical loss

0d mi i iT t t

0i ii i iT t t

0p di i iT t t

0r ri i iT t t

i

Compute


Fault tolerant Control System using Sensor Fusion

45

The Two‐Level Linear State Estimator


Cybervulnerability and Mitigation studies using a SCADA Test Bed

Centre for Development of Advanced Computing3-Tank process System

Corporate network

Attack Injector

Attack Simulator (AS) / Tools

C-DAC SCADA System Third party SCADA SystemControl Centre 1

AS/Tools

Control Network

Nodes

WSNWSN AS/ Tools

WSN Gateway

Fire Wall

Fire WallRouter

Fire Wall/ Security Gateway

RTU

SCADA Attack Simulator (AS)/ Tools

Master Server ICCP Server

Work station

Web Server

Sensor/ Relays

HMI

Temperature process Control System

ICCP

Power Plant Simulator

MLC

Fire Wall

Internet

Mobile Handset

Attack Injector

Control Centre 2

Control NetworkNetwork Manager

Security Manager

AS/Tools

Fire Wall/ Security Gateway

Sensor/ Relays

PLC

ICCP Server Server (SCADA/ HMI)

Field Devices

Third party WSN

DNP3

Forensic Tools

AS/Tools

Power Txn & Distrn Network Simulator

SCADA Test Bed Architecture


ON – LINE CONTROLLER DESIGN / RECONFIGURATION FOR NEW

SITUATION

RCICSS 49

Operating Regime Learning and Switching of Controllers to cover wide spectrum of Plant Operation

PLANNING

Set points

Production Strategies

Production Schedule

Business Intelligence

TYPE-1 : MULTIPLE MODEL SWITCHING CONTROLLERS

CONTROLLER BANK PROCESS

MODELBANK

SWITCHINGSTRATEGY

CALCULATEPERFORMANCE

INDEX

+

–

+

+

+

d

u

y

yr

CO-OPERATION

^

TYPE - 2 : MULTIPLE MODEL LEARNING ADAPTIVE CONTROLLERS

Identification and Decision

Supervisor

PLANT

OnlineController

Design

Bank ofControllers

U1

U2

Un

U Y

NewController

New Model New Model


Diagram of the Resilient Controller


Application 1 : Layout of Plant No. 4, Tuticorin Thermal Power Station


Architecture of overall Automation System in Unit 4, TTPS

* Steam Temp Control* Furnace Safety System* Soot Blower* Turbine Control

* Drum* ID,FD Fans* PA Fans* BFPs* Mill Control

* SH Control* RH Control* Modelling & Simulation* Prediction Control* Soft Sensor for Coal Flow* Expert System* Cooling Water Pump

Monitoring

ABBPROCONTROL

P 13/42

HITACHIHIDICV 90/20

SECURED CDAC

AUTOMATION SYSTEM

Field I/O Signals Field I/O Signals

Signals

Control Signals

OPC

Superheater (Left) &

Superheater (Right)

iCon#1

FIELD I/Os

NETWORK SWITCH-1

Superheater Prediction Control System Implementation

Motor Bearing , Winding Temp & Discharge Pressure

Cooling water Pump House II (4

pumps)

iWiSe 12

PULV. COAL FLOW SOFT SENSOR


iCon#2 iCon#3

EXPERT SYSTEM FOR OPERATOR

GUIDANCE

REAL TIME MODELLING,

SIMULATION AND PREDICTION

SYSTEM

Coal Mill A - F

Six Coal flow Soft Sensors Implementation

iWase

iWiSe 1

iWiSe 2

NETWORK SWITCH-2

Reheater (Left) &

Reheater (Right)Reheater Control System

Expert System

SYSTEM ARCHITECTURE - TTPS

PULV. COAL FLOW SOFT SENSOR


EXPERT SYSTEM FOR OPERATOR

GUIDANCE

REAL TIME MODELLING,

SIMULATION AND PREDICTION

SYSTEM


Gateway 1

Superheater (Left) &

Superheater (Right)

iCon#1

FIELD I/Os

Superheater Prediction Control

System Implementation

iCon#2 iCon#3

Coal Mill A - F

Six Coal flow Soft Sensors

Implementation

Reheater (Left) &

Reheater (Right)Reheater Control

SystemExpert System


Gateway 2





WFD

Wireless IDS

Motor Bearing , Winding Temp & Discharge Pressure

Cooling water Pump House II (4 pumps)

Secured Automation System for TTPS Boiler


KALMAN FILTER STATE ESTIMATION AND

SECURITY SYSTEM IMPLEMENTATION IN

THERMAL POWER STATIONS

PRESSURE CONTROL

SCHEMATIC DIAGRAM OF STEAM, WATER AND FLUE GAS FLOW LINES OF A DRUM TYPE BOILER

TEMPERATURECONTROL

COM

MO

N

CONVENTIONAL SUPERHEATER STEAM TEMPERATURE CONTROL SYSTEM

CONTROL PROBLEMS OF SECONDARY SUPERHEATER

The secondary superheater exhibits a large process lag (p) of the order of 8 to 10 minutes

Process lag changes heavily according to factors such as Main steam flow, CV of coal etc.,

1’

2’

1

2

p

TIME

TIME

SET VALUE

MA

IN S

TEA

M

TEM

P.FU

EL /

SPR

AY

FLO

W

CONCEPT OF STEAM TEMPERATURE PREDICTIVE CONTROL SYSTEM BY M/s HITACHI

Λθ (t+p) = PREDICTED ESTIMATE FOR p SECS INTO FUTURE, KNOWING THE ESTIMATE AT TIME ‘t’

θ(t) = MAIN STEAM TEMPERATURE

PREDICTOR (PREDICTION TIME

= p SEC)

PIDCONTROLLER

PROCESS (SUPER HEATER

SYSYEM)

SETPOINT +

-

Λθ( t+p)

KALMAN FILTER / LINEAR REGRESSION

PROPOSED METHOD OF STEAM TEMPERATURE CONTROL

PREDICTED STEAM TEMP.

MAIN STEAMTEMPERATURE

SET POINT

PI

PI

SEC. SUPERHEATERDYNAMICS

ATTEMPERATORDYNAMICS

PREDICTION FORP SECS

(8 to 10 minutes)

+

-

+-

STEAM TEMP.

MA

IN S

TEA

M

TEM

P.

PRESENT

MA

IN S

TEA

M

TEM

P.

PREDICTION TIME P

TIME

1’

2’

1

2

p

TIME

TIME

SET VALUE

FUEL

/ SP

RA

YFL

OW

PREDICTED VALUE

Main steam temperatureSet Point Conventional PID

Control System

State estimation by Kalman Filter

N – Step State prediction by Kalman Filter

Xs(k + N/k)

541oC

Ts(k + N/k)Predicted

steam temperature

Adaptive Process Identification by Kalman filter

Computation of controller

parameters

Boiler Plant

Fuel flow/ spray flow

KP , KI , KD

Boiler Plant model

)1(ksX

)()( kUsksXs

s , s

Xs (k / k)

U

-

+

ARCHITECTURE OF ADAPTIVE PREDICTIVE STEAM TEMPERATURE CONTROL SYSTEM

(Incorporates Control System Security)

psFs

qgpg

INTEGRATED MODEL FOR BOILERpdld

Ts

Fa

Furnace Inputs

hspa

Furnace Exhaust Gas

Main Steam

Saturated Drum Steam

Tsp

Fps

FspaFsi

Tsi

qr

Feg

Tg

Tm

Tgp

Fd

Td

Ff

Fr

hr

DRUM MODEL.Xd = f (Xd,Ud)

Xd =

PRIMARY SUPERHEATER

MODEL.Xp = ApXp + BpUp

Xp =

SECONDARY SUPERHEATER

MODEL.Xs = AsXs + BsUs

Xs =

FURNACE GAS

MODEL

Few

ATTEMPERATOR MODEL

dVdw

TspTmp

FURNACE MODEL

.X = f (X,U)

X =

TsTm

hegeg

hew

STOCHASTIC PROCESS MODEL

Xs(k) = s Xs(k-1) + sUs(k-1) + Ω W(k-1) with X (0) = Xo

is a 2x2 coefficient matrix

OBSERVATION MODEL

Ys(k) = CXs(k) + V(k)

STATE ESTIMATION USING KALMAN FILTER

W(k) - Process Noise2x1

V(k) - Measurement Noise 2x1

White noise sequencesStationary, Zero mean, Gaussian

The SSH is considered as a Stochastic Process

It is assumed that very little is known about the process initially Xs(0/-1) = 0 and P(0 /-1) =

KALMAN FILTER ALGORITHM

(i) Error variance algorithmP(k/k) = [P-1(k/k –1) + CTR-1C ]-1

(ii) Gain algorithmK(k) = P(k/k) CTR-1

(iii) Estimation algorithm

Xs(k/k) = Xs(k/k–1) + K(k) [Ys(k) – CXs(k/k –1)]

(iv) Prediction (Extrapolation) algorithm

Xs(k/k–1) = s Xs(k–1/ k–1) + sUs(k–1)P(k/k–1) = sP(k – 1/ k –1)s

T + Q T

STATE ESTIMATION USING KALMAN FILTER (contd.,)

COMPUTATIONAL SEQUENCE OF N - STEP PREDICTION BY KALMAN FILTER

Enter loop with

Xs(k/k-1) and P(k/k-1)

Compute error variance

P(k/k)

Compute filtered estimatXs(k/k)

Compute Kalman gainK(k)

Project one step aheadXs(k+1/k) and P(k+1/k)

N - Step prediction

Xs(i+1/k) = sXs(i/k) + sUs(k)P(i+1/k) = sP(i/k)s

T + QT

I = k,k+1,k+2…..k+N-1

Xs(k+N/k) and P(k+N/k)


ADAPTIVE PROCESS IDENTIFICATION

KKKK

KKKKK

XCV

XAX

1

KKK 1

KK

KKKK

K

KKK

K

KKK

K

K

XCV

XAX

0

1

1

Using Extended Kalman Filter

System Model

Parameter Model

Augmented System Model

θ - Parameter Vector


Architecture of a SCADA‐specific Security Solution (Xware)

RCICSS 70

Xware AB - Sweden


Trust Counter- Data Fusion assurance for the Kalman Filter in Uncertain Networks

RCICSS 71


Contaminated Measurements


Detection of Multiple Outliers

RCICSS 77

Detection of 3 Outliers


Detection of Multiple Outliers

RCICSS 78

Detection of 4 Outliers


Optimization of Drinking Water Production, Distribution and Consumption –

Grand Challenges and Technology Driven Solutions

for the Modern World

Conventional Chemical Addition Control (pH and Turbidity)

Variable Speed Drive




Model Driven

Estimator/Predictor

Clarifier lag Compensation and Optimal Process Control

Centre for Development of Advanced Computing RCICSS 82

Maroochy Shire Sewage Spill (2000)

Cyberattack on Drinking Water Supply System

Using a radio transmitter, the control system for sewage pumping station (Queensland, Australia)was interrupted on 46 occasions causing malfunctions resulting in the release of about 2,64,000 gallons of raw sewage into nearby rivers and parks

Consequently, the drinking water supply system got affected badly

It was polluted by sewage water

HYDRAULIC MODEL AND SCADA DRIVEN SYSTEM OPTIMIZATION

Combine Hydraulic Modeling and SCADA into one Software Application

OPTIMIZATION METHODOLOY

COLLOCATION MULTIPLE - SHOOTING

on-line off-line

SCADA Security

Simultaneous System Simulation & Optimization

• Analyse events as they happen

• Perform First Simulation with operational decision

• Monitor accuracy

• Change decision and quickly perform Second Simulation

• Compare level of improvement

• Select Ready-to-go campaign

• Implement control decisions

Problems that remain

Costs of the change

COLLOCATION ENSURES ICS SECURITY

LEAKAGE DETECTION SYSTEM


SIMULATION‐DRIVEN

OPTIMIZATION SYSTEM

CHEMICAL ADDITION OPTIMIZTION

SYSTEM


Gateway 1

iInputs/control commands

iCon#1

FIELD I/Os

iCon#2 iCon#3


Gateway 2





WFD

Wireless IDS


Inputs/control commands

Secured Automation System


Thank You


Representative efforts in the area of best practices for controlsystems security


Representative efforts in the area of best practices for controlsystems security (Contd.)


Cybervulnerability and Mitigation studies using a SCADA Test Bed

95

International Scenario

Idaho National Laboratories, National SCADA Test Bed Programme

The Centre for SCADA Security, Sandia National laboratories

US Department of Energy, National SCADA Test bed programme

NERC (North American Electric Reliability Corporation) reliability standards for CIP

VIKING (Vital Infrastructure, Networks, Information and Control Systems Management) – a research project funded by EU to create tools for risk analysis, develop a requirement baseline and testmitigations against threats


Proposed developmentsSCADA Aware Firewall

o Rule‐based filteringo Stateful Packet Inspection (SPI) o Threshold – based filteringo Secure firewall configuration interface

Network Intrusion Detection/Prevention System (NIDS/NIPS)o Signature basedo Anomaly based

Protocols Supportedo Modbus TCPo DNP 3.0o ICCPo IEC 60870‐5‐104o DACS

Security Aware Gateway


Rules based filtering : Series of rules are defined based on: allowable source and destination IP addresses, listening port numbers of respective protocols and the protocol header.

Stateful packet Inspection : Tracks the interrelationship between the packets allowed, by keeping a history of accepted packets and the state of current connection , only anticipated traffic is accepted.

Threshold based filtering : Threshold‐based filtering works by keeping statistics on the packets received and monitoring for threshold crossings based on configured time intervals and threshold levels. A database to maintain packet counts and a monitoring module to detect and enforce threshold crossings.

Features of SCADA Aware Firewall

RCICSS 97


Signature based : Attack scenarios exploiting the vulnerabilities in Modbus, DNP 3.0, ICCP, IEC 60870‐5‐104 and DACS is transformed into corresponding signature rules in the onboard NIDS

Anomaly based : Detects zero‐day attacks based on statistical samples of network or host operating information (like CPU utilization rate, number of failed login attempts etc) and its deviation from the norm.

Provision to manually import persistent alerts from Anomaly based IDS mode as a signature rule in the Signature based IDS mode, after an expert verifies it and validates it as a possible attack scenario

Features of NIDS

RCICSS 98


To address SCADA vulnerabilities it is proposed to enrich the RTU developed by C‐DAC with the following security enhancements

Role Based Access ControlSecurity enhanced SCADA protocolKernel OS hardeningData Authentication

Security Hardened RTU/Controller

99


Role‐based Access Control (RBAC) is a method of regulating access to RTU resources based on the roles of individual users within an organizationAccess control provides improved security by allowing users access to only certain permissions

Role Based Access Control

100


SCADA Forensics‐ System Architecture & Tools

SCADA Computer SystemsSCADA Computer Systems

• Control Layer Nodes• Control Layer Nodes

• Intelligent electronic devices

• Intelligent electronic devices

• Field devices• Field devices

• Forensics Data Acquisition Tool Suite

• Forensics Data Acquisition Tool Suite

RTU

Computer Disk/ Memory/ Log Acquisition Tool

RTU / PLC Non‐volatile Memory Acquisition Tool

Intelligent Field device Non‐

volatile memory Acquisition Tool

SCADA Forensics Analysis Tool

Forensics Image

attack resilient cyber‐physical systems for industrial...

Documents