attack resilient cyber‐physical systems for industrial...
TRANSCRIPT
Centre for Development of Advanced ComputingCentre for Development of Advanced Computing
Attack Resilient Cyber‐Physical Systems for Industrial Automation & Control
By
Dr. S. Rominus ValsalamAssociate Director & Head
Control & Instrumentation GroupCentre for Development of Advanced Computing (CDAC)
(A Scientific Society of the Ministry of Communications and Information Technology, Govt. of India)Vellayambalamm, Thiruvananthapuram - 695 033, Kerala, India.
IEEE Symposium on “Frontiers of Technology: Fuelling Prosperity of Planet and People”
September 10 – 11, 2015
Changing Horizons of Automation & Control Technology
RelayI/O Modules
Hardware Based (Dumb)
Software-Based (Execute via Command)
Learning System
ProgrammableControls
HolonicControl System
Biological Systems“Life Forms”
ReasoningCompetition
AutonomyCo-operationIntelligence
Artificial IntelligenceRule Based / Neural
Virtual Environment Before Real-World
Realization
Global ClimateProtection
Digital Factory
Climate Models
Centre for Development of Advanced Computing
IMPORTANCE OF PLANT MODELS
Process
Black BoxSet
point
+ -
Steady State ErrorSet
point
Time
Controlled VariableCONVENTIONAL CONTROL SYSTEM
Controller ProcessSensor
+ -
Sens
or
Estim
ate
Proc
ess
Envi
ronm
ent
Adapt
Set point
Steady State Error
Time
Set point
Manipulated Variable
ADVANCED CONTROL SYSTEM
ProcessController
Estimate Measurement
Understand and Adapt
PROCESS MODEL
ESTIMATOR
MODELLING AND CONTROL
Centre for Development of Advanced Computing
MISREPORTS
CONFIGURATOR
MACHINE
INTELLIGENCE
Control System
Configurator
ADVANCED CONTROL &
DSP ALGORITHMS
MODELLING & OPTIMIZATION
TOOLS
OPERATOR
CONSOLE
REAL TIME SCHEDULER
BATTER
Y
SENSOR / ACTUATOR NETWORKWIRED WIRELESS
COMMUNICATION SYSTEM CONFIGURATOR
GENERAL PURPOSE
CONTROLLER
LOW POWER CONTROLLER
HISTORIC
DATABASE
HMISimulation
Platform
DEVICE
LEVEL
CONTROL
LEVEL
REPOSITORY
LEVEL
INFORMATION
& DECISION LEVEL
WIRELESS COMMUNICATIONVSAT
ALARM
MANAGEMENT
INTELLIGENT OPERATOR GUIDANCE
REPOSITORY MACHINE
REAL TIME DISTRIBUTED
DATABASE
ERPCRM
SINGLE BOARD
CONTROLLER
LEARNINGLEARNING&&
CONTROLCONTROL
CONTROL CONTROL &&
SYSTEMSSYSTEMS
PERCEPTIONPERCEPTION
SYSTEMS SYSTEMS & &
LEARNINGLEARNING
OPERATOR
CONSOLE
MIS SERVER
ARCHITECTURE OF NEXT GENERATION AUTOMATION & CONTROL SYSTEM
Automation Products
OVERVIEW OF SCADA SYSTEM FOR A CHAIN OFHYDEL POWER STATIONS
PHANSIDEWA(Administrative Building)
SERVER
UNIT-1 UNIT-2 UNIT-3
CONTROL NET
ETHERNET
OPERATOR CONSOLES
PS-I SCADA SYSTEM PS-II SCADA SYSTEM PS-III SCADA SYSTEM
RADIO LINK
2.4 TO 2.5 GHz
NETWORK1 NETWORK2
SERVER OPERATOR CONSOLES
NETWORK1 NETWORK2
SERVER OPERATOR CONSOLES
2.4 TO 2.5 GHz 2.4 TO 2.5 GHz
Centre for Development of Advanced Computing
FUZZY LOGICINTELLIGENT DECISION SYSTEM
SIEMENS System
Server
Console
RTU 1
RTU 2
OPC Server
CDAC System
Siemens 417 –4H
Controllers
Reinforces Setpoints
OPERATOR
Rotary Kiln
Durag Camera
Kiln
Pro
cess
Siemens Panel
Optimized Setpoints
Rs, Cs & Ps
Field I/Os( ~3000 nos.)
Kiln Optimization Workstation
Preheater Fan
Raw Meal Feeder
PID Controller
PID Controller
PID Controller
Coal Feeder
Secondary Air
Cyclones
M
Cement Plant Rotary Kiln Control Optimization System
Raw Meal Pre heater fan
Coal feed
DA
S R
oom
K
iln C
ontr
ol R
oom
M
OPCRaw Meal Feed RatePreheater fan speedCoal Feed RateKiln SpeedBack-end TempCO ContentBurning Zone TempKiln Ampere …. Bur
ning
zon
e im
ages
PCS 7
Cs Rs Ps
Schenk Controller
IPA ControllerIPA Controllers
Complex Measurement of Crystal Size in Sugar Industry ‐
Through Image Processing
Spreading brushPneumatic cylinder
VacuumPan
Cleaningbrush
Slots forSample
6mm thick glass
Smartcamera
Spray Water Nozzle
Solenoid valve
Solenoid valve
Reject sample
Raw Water supply
Air supply
Display UnitDisplay Unit
Solenoid valve
Control & Instrumentation Group IIPTeC - Sugar Crystal Size Characterization
Control unitControl unit
Centre for Development of Advanced ComputingCentre for Development of Advanced Computing
Energy Crisis
Centre for Development of Advanced Computing
Control Problems in Solar Power Plants
Behaviour of Cyber – Physical System in Modern Solar Power Plants and Control Problems
Centre for Development of Advanced Computing
Centre for Development of Advanced Computing
Cloud based SCADA offers Alternatives to Traditional Systems
Service provider purchases and maintains a shared pool of configurable computing devices
Networks Servers Storage Applications Services
Water and waste water industry access these resources via the internet
They pay for the Capacity used
H/W & S/W purchase Installation Maintenance System upgrade
Cloud SCADA limits the need for
Centre for Development of Advanced Computing
Need for Industrial Control System Security
LEAKAGE DETECTION SYSTEM
SERVER OPERATOR CONSOLE 2OPERATOR CONSOLE 1
SIMULATION‐DRIVEN
OPTIMIZATION SYSTEM
CHEMICAL ADDITION OPTIMIZTION
SYSTEM
Security Gateway 1Security
Gateway 1
iInputs/control commands
FIELD I/Os
Security Gateway 2Security
Gateway 2
Wireless SecurityManager
Wireless NetworkManager
Backbone Router/ Base station
Backbone Router/ Base station
WFD
Wireless IDS
Intrusion Detection Analysis System
Inputs/control commands
Secured Automation System with Cloud Architecture
CloudCloud
Attack Resilient Process
Controller
Attack Resilient Process
Controller
Attack Resilient Process
Controller
Centre for Development of Advanced Computing
Comparison of security requirement for general Information Systems and Automation and Control Systems
16
Sl.
No.
Security Requirement General Information
Systems
Automation and control
systems
1. Primary subject for
protection
Information Physical process/plant
2. Primary risk impact Information disclosure,
financial
Safety, health,
environment, financial
3. Security focus Central server security Control device stability
4. Availability 95 – 99% 99.9 – 99.999…%
5. Determinism Hours to months Milliseconds to hours
6. Operating environment Interactive,
transactional
Interactive, real-time
7. Problem response Reboot Fault tolerance, on-line
repair and restoration
Centre for Development of Advanced Computing
Power and Energy System Control Applications and Cyber – Physical System Security Needs
17
FACTS - Flexible Alternating Current Transmission System
Centre for Development of Advanced ComputingCentre for Development of Advanced Computing
Centre for Development of Advanced Computing
Need for CyberPhysical System Security
19
Security Issues in ICS
Adoption of standardized protocols and open technologies with known vulnerabilities
Connectivity of the control systems to other networks/Internet
Insecure and rogue connections
Widespread availability of technical information about control systems
Use of standard OS like Windows
Centre for Development of Advanced Computing
ICS Security incidents
Incidents of cyber‐security nature that directly affected Industrial Control Systems and processes
Statistics
No.
of i
ncid
ents
Centre for Development of Advanced Computing
Electric terrorism: grid component targets, 1994–2004 (source: Journal of Energy Security). IEEE P&E Magazine, Jan/Feb 2012
Centre for Development of Advanced Computing
Percentage of critical infrastructure enterprise executives reporting large-scale DDoS attacks and their frequency (source: McAfee) – IEEE P&E Magazine, Jan/Feb 2012
Centre for Development of Advanced Computing
Security Incidents on SCADA SystemsSiberian Pipeline Explosion (1982) - TrojanChevron Emergency Alert System (1992) – User CompromiseSalt River Project (1994) – TrojanWorcester, MA Airport (1997) – Root Compromise & Denial of ServiceGazprom (1999) – User Compromise & TrojanCalifornia System Operator (2001) – Root CompromiseDavis-Besse Nuclear Power Plant (2003) – WormCSX Corporation (2003) – VirusTehama Colusa Canal Authority (2007) – Misuse of ResourcesStuxnet (2010) – Worm, Root Compromise, TrojanNight Dragon (2011) - Social Engineering, User Compromise, Root CompromiseDUQU (2011) - VirusFlame (2012) – Worm Contd…..
Centre for Development of Advanced Computing
Russian‐Based Dragonfly Group Attacks Energy Industry (2014) ‐ Power and Utilities United StatesU‐2 spy plane caused widespread shutdown of U.S. flights: report (2014) ‐ Transportation United StatesAfter ‘Godzilla Attack!’ U.S. warns about traffic‐sign hackers (2014) ‐ Transportation United States Public utility compromised after brute‐force hack attack, says Homeland Security (2014) ‐ Power and Utilities United States
RCICSS 24
Centre for Development of Advanced Computing
Worcester Air Traffic Communications (March 1997)Disabled part of the PSTN using a dial-up modem - airport control and communication system affected, radio transmitter that activates runway lights were shut down
Maroochy Shire Sewage Spill (2000)Using a radio transmitter, the control system for sewage pumping station was interrupted on 46 occasions causing malfunctions resulting in the release of about 264,000 gallons of raw sewage into nearby rivers and parks
Northeast Power Blackout (August 2003)Failure of the alarm processor in the SCADA system prevented control room operators from having adequate situational awareness of critical operational changes to the electrical grid, leading to an uncontrolled cascading failure of the grid. A total of 61,800 MW load was lost as 508 generating units at 265 power plants tripped.
Stuxnet Worm ( 2010, 2012)Latest widely published cyber attack on ICS. The objective was to corrupt Siemens PLC function by rewriting parts of the code and turning it into the attacker’s agent. Target was nuclear power plants, power grids.On 25 December 2012, an Iranian semi-official news agency announced there was a cyberattack by Stuxnet on the industries in the southern area of Iran.
SCADA Security Incidents ‐ Examples
RCICSS 25
Centre for Development of Advanced Computing
How STUXNET Worked
RCICSS 26
Centre for Development of Advanced Computing
Architectural vulnerabilities• Weak separation between process network & field network• Lack of authentication among the active components
Security Policy vulnerabilities• Patch management policies • Anti virus update policies• Access policies
Software Vulnerabilities• Buffer overflows• SQL-injection• Format string• Web-application vulnerabilities
Communication Protocols Vulnerabilities in • DNP 3.0 (IP based)• IEC 870-part 5 101 profile• IEC 870 part 5 104 profile (IP based)• Inter Control Centre Protocol (ICCP, IP based)
Wireless vulnerabilitiesVulnerabilities in field devices with Ethernet interface– PLCs, RTUs, IEDs etc
SCADA Vulnerabilities
RCICSS 27
Centre for Development of Advanced Computing
SCADA aware Security gatewayFirewall – Modbus TCP, DNP3, ICCPIDS – Signature and behaviour anomaly basedBump‐in‐the‐wire
Secure SCADA ProtocolsSecurity Layer for ICCP TASE.2, MMS Protocol Layers Security Layer for IEC 61850 Protocol
Hardware/software hardened secure SCADARTU – OS Hardening, Role based access control, data authenticationDACS (proprietary) protocol – Challenge / ResponseSCADA/HMI ‐ Role based access control, Biometric authentication, control data encryption, SCADA configuration hardening Security hardened WSN – IEC 62591 (WirelessHART)
R&D Initiatives of CDACDevelopment of Building Blocks
RCICSS 28
Centre for Development of Advanced Computing
Attack resilient control algorithms• Robust networked control• State controller ‐ Robust Kalman Filter with Bernoulli Loss Model• H∞ Control ‐ system with unpredictable structural changes• Fault‐Tolerant control using data fusion and state observer• Power System Simulation, Collocation and Control• State Estimation
End point security framework in SCADA• Whitelist framework for SCADA security with Application control,Network Access Control, USB mass storage device and USB communication device control for Windows and Linux based end points
• Mobile security solution with application aware firewall, anti malware and Offline mobile application analyser features for Android based mobiles
Development of Building Blocks
RCICSS 29
Centre for Development of Advanced Computing
Development of Building Blocks
RCICSS 30
Security Testing Tools• Attack simulators
SCADA malware DoS (APT) Scenario SCADA unauthorized command execution scenarioSCADA System Data Poisoning
• SCADA protocol fuzzers – Modbus TCP, DNP3, ICCP
SCADA Forensics and Incident Response tools• Forensics acquisition and analysis of
Computers on a SCADA networkRTU/PLC Intelligent field devices
Centre for Development of Advanced Computing
Development of Building Blocks
RCICSS 31
Security tools for Wireless Field Devices• Wireless Security Analyser and Detector
• Wireless Security Analysis system – IEC 62591 (WirelessHART)• Intrusion Detection System
Attack modelling framework & tool• Fault Tree Analysis (FTA)• Attack Trees• Petri Nets
Monitoring and Management tools for Risk AssessmentAuditing tool based on SCAP protocol
Centre for Development of Advanced Computing
SCADA AWARE SECURITY GATEWAYSCADA AWARE SECURITY GATEWAY
Network Intrusion Detection System
SCADA AWARE FIREWALL
SCADA AWARE SECURITY GATEWAY
INTERNAL ROUTER OR SWITCH
CONTROL NETWORK
PLC RTU
. . . . .
INTERNET
INTERNAL ROUTER OR SWITCH
ENTERPRISE NETWORK
. . .
Centre for Development of Advanced Computing
Secure RTU Architecture
AO
SENSORS AND ACTUATORS
DOAIDI
CPU with Hardened LINUX OS
ServerConsole 1 Console 2
PoliciesRBAC
Data IntegritySecurity Enhanced
SCADA Protocol with Challenge
ResponseAuthentication
NW Switch
RBAC – Role Based Access Control
Centre for Development of Advanced Computing
Challenge / Response Authentication for RTU Master Communication
If H! = HASH (N|S)Reset Connection
Centre for Development of Advanced Computing
Operating System Hardening
SELinux (Security Enhanced Linux) provides enhanced securityA set of kernel modifications and user‐space tools that can be added using LSM ( Linux Security Modules)Configurable policy engine supporting:
Type Enforcement (TE), Role Based Access Control (RBAC)Type Enforcement (TE) is the mechanism that actually determines if a particular operation is permittedThe Type Enforcement technology feature of the operating system provides strong separation of:
The operating system from applicationsApplications from each other
Centre for Development of Advanced Computing
• Enrich the web based SCADA application with strong security features User authentication with role based access Use of strong multi‐factor user authentication via biometric interfaces and
strong passwords Improved Web Application Security by the use of secure data transfer between
server and client using technologies like SSL Encryption of control data Secure configuration database using database encryption Use of electronic signatures Protocol hardening by using a secure SCADA protocol for communication with
the RTUDevelop ICCP Server and Client interfaces for the SCADA software
Security Hardened SCADA Software
36
BACK
Centre for Development of Advanced ComputingCentre for Development of Advanced Computing
Security Hardening of Wireless Sensor Network
Centre for Development of Advanced Computing
To harden the existing wireless sensor network system for industrial automation developed under the ASTeC programme funded by DeitY.
Security in Wireless Sensor Network
Objectives
1. Design and Implementation of IEC 62591 (WirelessHART) standard based security features on Wireless Sensor Node.
2. Design and Implementation of IEC 62591 (WirelessHART) standard based security features on Backbone Router (Base Station).
3. Design & Development of Network Manger for the Wireless Sensor Network.
4. Design & Development of Security Manger for the Wireless Sensor Network.
Centre for Development of Advanced Computing
WiSArD Architecture
Security in Wireless Sensor Network
Centre for Development of Advanced ComputingCentre for Development of Advanced Computing
Attack Resilient Control Algorithms
Centre for Development of Advanced Computing
RESILIENT INDUSTRIAL CONTROL SYSTEM (RICS)
RCICSS 41
A Control System designed and operated s.t
• Incidence of undesirable incidents can be minimized
• Most of the undesirable incidents can be mitigated
• Adverse impacts of undesirable incidents can be
minimized
• It can recover normal operation in a short time
Centre for Development of Advanced Computing
3 – Layer System Model
RCICSS 42
Centre for Development of Advanced Computing
Resilience curve illustrating the Characteristics of Resilient ICS
43
Centre for Development of Advanced Computing
ESTIMATING RESILINCE OF AN ICS
RCICSS 44
ESTIMATION METRICS (Incident )i
No performance degradation
System reaches performance bottom
System identifies incident
System recovers normal operation
Protection time
Degrading time
Identification time
Recovery time
Performance degradation
Performance loss
Total Financial loss
Potential Critical loss
0d mi i iT t t
0i ii i iT t t
0p di i iT t t
0r ri i iT t t
i
Compute
Centre for Development of Advanced Computing
Fault tolerant Control System using Sensor Fusion
45
The Two‐Level Linear State Estimator
Centre for Development of Advanced ComputingCentre for Development of Advanced Computing
Cybervulnerability and Mitigation studies using a SCADA Test Bed
Centre for Development of Advanced Computing3-Tank process System
Corporate network
Attack Injector
Attack Simulator (AS) / Tools
C-DAC SCADA System Third party SCADA SystemControl Centre 1
AS/Tools
Control Network
Nodes
WSNWSN AS/ Tools
WSN Gateway
Fire Wall
Fire WallRouter
Fire Wall/ Security Gateway
RTU
SCADA Attack Simulator (AS)/ Tools
Master Server ICCP Server
Work station
Web Server
Sensor/ Relays
HMI
Temperature process Control System
ICCP
Power Plant Simulator
MLC
Fire Wall
Internet
Mobile Handset
Attack Injector
Control Centre 2
Control NetworkNetwork Manager
Security Manager
AS/Tools
Fire Wall/ Security Gateway
Sensor/ Relays
PLC
ICCP Server Server (SCADA/ HMI)
Field Devices
Third party WSN
DNP3
Forensic Tools
AS/Tools
Power Txn & Distrn Network Simulator
SCADA Test Bed Architecture
Centre for Development of Advanced Computing
ON – LINE CONTROLLER DESIGN / RECONFIGURATION FOR NEW
SITUATION
RCICSS 49
Operating Regime Learning and Switching of Controllers to cover wide spectrum of Plant Operation
PLANNING
Set points
Production Strategies
Production Schedule
Business Intelligence
TYPE-1 : MULTIPLE MODEL SWITCHING CONTROLLERS
CONTROLLER BANK PROCESS
MODELBANK
SWITCHINGSTRATEGY
CALCULATEPERFORMANCE
INDEX
+
–
+
+
+
d
u
y
yr
CO-OPERATION
^
TYPE - 2 : MULTIPLE MODEL LEARNING ADAPTIVE CONTROLLERS
Identification and Decision
Supervisor
PLANT
OnlineController
Design
Bank ofControllers
U1
U2
Un
U Y
NewController
New Model New Model
Centre for Development of Advanced Computing
Diagram of the Resilient Controller
Centre for Development of Advanced Computing
Application 1 : Layout of Plant No. 4, Tuticorin Thermal Power Station
Centre for Development of Advanced Computing
Architecture of overall Automation System in Unit 4, TTPS
* Steam Temp Control* Furnace Safety System* Soot Blower* Turbine Control
* Drum* ID,FD Fans* PA Fans* BFPs* Mill Control
* SH Control* RH Control* Modelling & Simulation* Prediction Control* Soft Sensor for Coal Flow* Expert System* Cooling Water Pump
Monitoring
ABBPROCONTROL
P 13/42
HITACHIHIDICV 90/20
SECURED CDAC
AUTOMATION SYSTEM
Field I/O Signals Field I/O Signals
Signals
Control Signals
OPC
Superheater (Left) &
Superheater (Right)
iCon#1
FIELD I/Os
NETWORK SWITCH-1
Superheater Prediction Control System Implementation
Motor Bearing , Winding Temp & Discharge Pressure
Cooling water Pump House II (4
pumps)
iWiSe 12
PULV. COAL FLOW SOFT SENSOR
SERVER OPERATOR CONSOLE 2OPERATOR CONSOLE 1
iCon#2 iCon#3
EXPERT SYSTEM FOR OPERATOR
GUIDANCE
REAL TIME MODELLING,
SIMULATION AND PREDICTION
SYSTEM
Coal Mill A - F
Six Coal flow Soft Sensors Implementation
iWase
iWiSe 1
iWiSe 2
NETWORK SWITCH-2
Reheater (Left) &
Reheater (Right)Reheater Control System
Expert System
SYSTEM ARCHITECTURE - TTPS
PULV. COAL FLOW SOFT SENSOR
SERVER OPERATOR CONSOLE 2OPERATOR CONSOLE 1
EXPERT SYSTEM FOR OPERATOR
GUIDANCE
REAL TIME MODELLING,
SIMULATION AND PREDICTION
SYSTEM
Security Gateway 1Security
Gateway 1
Superheater (Left) &
Superheater (Right)
iCon#1
FIELD I/Os
Superheater Prediction Control
System Implementation
iCon#2 iCon#3
Coal Mill A - F
Six Coal flow Soft Sensors
Implementation
Reheater (Left) &
Reheater (Right)Reheater Control
SystemExpert System
Security Gateway 2Security
Gateway 2
Wireless SecurityManager
Wireless NetworkManager
Backbone Router/ Base station
Backbone Router/ Base station
WFD
Wireless IDS
Motor Bearing , Winding Temp & Discharge Pressure
Cooling water Pump House II (4 pumps)
Secured Automation System for TTPS Boiler
Intrusion Detection Analysis System
KALMAN FILTER STATE ESTIMATION AND
SECURITY SYSTEM IMPLEMENTATION IN
THERMAL POWER STATIONS
PRESSURE CONTROL
SCHEMATIC DIAGRAM OF STEAM, WATER AND FLUE GAS FLOW LINES OF A DRUM TYPE BOILER
TEMPERATURECONTROL
COM
MO
N
CONVENTIONAL SUPERHEATER STEAM TEMPERATURE CONTROL SYSTEM
CONTROL PROBLEMS OF SECONDARY SUPERHEATER
The secondary superheater exhibits a large process lag (p) of the order of 8 to 10 minutes
Process lag changes heavily according to factors such as Main steam flow, CV of coal etc.,
1’
2’
1
2
p
TIME
TIME
SET VALUE
MA
IN S
TEA
M
TEM
P.FU
EL /
SPR
AY
FLO
W
CONCEPT OF STEAM TEMPERATURE PREDICTIVE CONTROL SYSTEM BY M/s HITACHI
Λθ (t+p) = PREDICTED ESTIMATE FOR p SECS INTO FUTURE, KNOWING THE ESTIMATE AT TIME ‘t’
θ(t) = MAIN STEAM TEMPERATURE
PREDICTOR (PREDICTION TIME
= p SEC)
PIDCONTROLLER
PROCESS (SUPER HEATER
SYSYEM)
SETPOINT +
-
Λθ( t+p)
KALMAN FILTER / LINEAR REGRESSION
PROPOSED METHOD OF STEAM TEMPERATURE CONTROL
PREDICTED STEAM TEMP.
MAIN STEAMTEMPERATURE
SET POINT
PI
PI
SEC. SUPERHEATERDYNAMICS
ATTEMPERATORDYNAMICS
PREDICTION FORP SECS
(8 to 10 minutes)
+
-
+-
STEAM TEMP.
MA
IN S
TEA
M
TEM
P.
PRESENT
MA
IN S
TEA
M
TEM
P.
PREDICTION TIME P
TIME
1’
2’
1
2
p
TIME
TIME
SET VALUE
FUEL
/ SP
RA
YFL
OW
PREDICTED VALUE
Main steam temperatureSet Point Conventional PID
Control System
State estimation by Kalman Filter
N – Step State prediction by Kalman Filter
Xs(k + N/k)
541oC
Ts(k + N/k)Predicted
steam temperature
Adaptive Process Identification by Kalman filter
Computation of controller
parameters
Boiler Plant
Fuel flow/ spray flow
KP , KI , KD
Boiler Plant model
)1(ksX
)()( kUsksXs
s , s
Xs (k / k)
U
-
+
ARCHITECTURE OF ADAPTIVE PREDICTIVE STEAM TEMPERATURE CONTROL SYSTEM
(Incorporates Control System Security)
psFs
qgpg
INTEGRATED MODEL FOR BOILERpdld
Ts
Fa
Furnace Inputs
hspa
Furnace Exhaust Gas
Main Steam
Saturated Drum Steam
Tsp
Fps
FspaFsi
Tsi
qr
Feg
Tg
Tm
Tgp
Fd
Td
Ff
Fr
hr
DRUM MODEL.Xd = f (Xd,Ud)
Xd =
PRIMARY SUPERHEATER
MODEL.Xp = ApXp + BpUp
Xp =
SECONDARY SUPERHEATER
MODEL.Xs = AsXs + BsUs
Xs =
FURNACE GAS
MODEL
Few
ATTEMPERATOR MODEL
dVdw
TspTmp
FURNACE MODEL
.X = f (X,U)
X =
TsTm
hegeg
hew
STOCHASTIC PROCESS MODEL
Xs(k) = s Xs(k-1) + sUs(k-1) + Ω W(k-1) with X (0) = Xo
is a 2x2 coefficient matrix
OBSERVATION MODEL
Ys(k) = CXs(k) + V(k)
STATE ESTIMATION USING KALMAN FILTER
W(k) - Process Noise2x1
V(k) - Measurement Noise 2x1
White noise sequencesStationary, Zero mean, Gaussian
The SSH is considered as a Stochastic Process
It is assumed that very little is known about the process initially Xs(0/-1) = 0 and P(0 /-1) =
KALMAN FILTER ALGORITHM
(i) Error variance algorithmP(k/k) = [P-1(k/k –1) + CTR-1C ]-1
(ii) Gain algorithmK(k) = P(k/k) CTR-1
(iii) Estimation algorithm
Xs(k/k) = Xs(k/k–1) + K(k) [Ys(k) – CXs(k/k –1)]
(iv) Prediction (Extrapolation) algorithm
Xs(k/k–1) = s Xs(k–1/ k–1) + sUs(k–1)P(k/k–1) = sP(k – 1/ k –1)s
T + Q T
STATE ESTIMATION USING KALMAN FILTER (contd.,)
COMPUTATIONAL SEQUENCE OF N - STEP PREDICTION BY KALMAN FILTER
Enter loop with
Xs(k/k-1) and P(k/k-1)
Compute error variance
P(k/k)
Compute filtered estimatXs(k/k)
Compute Kalman gainK(k)
Project one step aheadXs(k+1/k) and P(k+1/k)
N - Step prediction
Xs(i+1/k) = sXs(i/k) + sUs(k)P(i+1/k) = sP(i/k)s
T + QT
I = k,k+1,k+2…..k+N-1
Xs(k+N/k) and P(k+N/k)
Centre for Development of Advanced Computing
ADAPTIVE PROCESS IDENTIFICATION
KKKK
KKKKK
XCV
XAX
1
KKK 1
KK
KKKK
K
KKK
K
KKK
K
K
XCV
XAX
0
1
1
Using Extended Kalman Filter
System Model
Parameter Model
Augmented System Model
θ - Parameter Vector
Centre for Development of Advanced Computing
Architecture of a SCADA‐specific Security Solution (Xware)
RCICSS 70
Xware AB - Sweden
Centre for Development of Advanced Computing
Trust Counter- Data Fusion assurance for the Kalman Filter in Uncertain Networks
RCICSS 71
Centre for Development of Advanced Computing
Centre for Development of Advanced Computing
Centre for Development of Advanced Computing
Centre for Development of Advanced Computing
Centre for Development of Advanced Computing
Contaminated Measurements
Centre for Development of Advanced Computing
Detection of Multiple Outliers
RCICSS 77
Detection of 3 Outliers
Centre for Development of Advanced Computing
Detection of Multiple Outliers
RCICSS 78
Detection of 4 Outliers
Centre for Development of Advanced ComputingCentre for Development of Advanced Computing
Optimization of Drinking Water Production, Distribution and Consumption –
Grand Challenges and Technology Driven Solutions
for the Modern World
Conventional Chemical Addition Control (pH and Turbidity)
Variable Speed Drive
Variable Speed Drive
Variable Speed Drive
Variable Speed Drive
Model Driven
Estimator/Predictor
Clarifier lag Compensation and Optimal Process Control
Centre for Development of Advanced Computing RCICSS 82
Maroochy Shire Sewage Spill (2000)
Cyberattack on Drinking Water Supply System
Using a radio transmitter, the control system for sewage pumping station (Queensland, Australia)was interrupted on 46 occasions causing malfunctions resulting in the release of about 2,64,000 gallons of raw sewage into nearby rivers and parks
Consequently, the drinking water supply system got affected badly
It was polluted by sewage water
Centre for Development of Advanced Computing
HYDRAULIC MODEL AND SCADA DRIVEN SYSTEM OPTIMIZATION
Combine Hydraulic Modeling and SCADA into one Software Application
OPTIMIZATION METHODOLOY
COLLOCATION MULTIPLE - SHOOTING
on-line off-line
SCADA Security
Simultaneous System Simulation & Optimization
• Analyse events as they happen
• Perform First Simulation with operational decision
• Monitor accuracy
• Change decision and quickly perform Second Simulation
• Compare level of improvement
• Select Ready-to-go campaign
• Implement control decisions
Problems that remain
Costs of the change
COLLOCATION ENSURES ICS SECURITY
LEAKAGE DETECTION SYSTEM
SERVER OPERATOR CONSOLE 2OPERATOR CONSOLE 1
SIMULATION‐DRIVEN
OPTIMIZATION SYSTEM
CHEMICAL ADDITION OPTIMIZTION
SYSTEM
Security Gateway 1Security
Gateway 1
iInputs/control commands
iCon#1
FIELD I/Os
iCon#2 iCon#3
Security Gateway 2Security
Gateway 2
Wireless SecurityManager
Wireless NetworkManager
Backbone Router/ Base station
Backbone Router/ Base station
WFD
Wireless IDS
Intrusion Detection Analysis System
Inputs/control commands
Secured Automation System
Centre for Development of Advanced ComputingCentre for Development of Advanced Computing
Thank You
Centre for Development of Advanced Computing
Centre for Development of Advanced Computing
Centre for Development of Advanced Computing
Centre for Development of Advanced Computing
Centre for Development of Advanced Computing
Representative efforts in the area of best practices for controlsystems security
Centre for Development of Advanced Computing
Representative efforts in the area of best practices for controlsystems security (Contd.)
Centre for Development of Advanced Computing
Cybervulnerability and Mitigation studies using a SCADA Test Bed
95
International Scenario
Idaho National Laboratories, National SCADA Test Bed Programme
The Centre for SCADA Security, Sandia National laboratories
US Department of Energy, National SCADA Test bed programme
NERC (North American Electric Reliability Corporation) reliability standards for CIP
VIKING (Vital Infrastructure, Networks, Information and Control Systems Management) – a research project funded by EU to create tools for risk analysis, develop a requirement baseline and testmitigations against threats
Centre for Development of Advanced Computing
Proposed developmentsSCADA Aware Firewall
o Rule‐based filteringo Stateful Packet Inspection (SPI) o Threshold – based filteringo Secure firewall configuration interface
Network Intrusion Detection/Prevention System (NIDS/NIPS)o Signature basedo Anomaly based
Protocols Supportedo Modbus TCPo DNP 3.0o ICCPo IEC 60870‐5‐104o DACS
Security Aware Gateway
Centre for Development of Advanced Computing
Rules based filtering : Series of rules are defined based on: allowable source and destination IP addresses, listening port numbers of respective protocols and the protocol header.
Stateful packet Inspection : Tracks the interrelationship between the packets allowed, by keeping a history of accepted packets and the state of current connection , only anticipated traffic is accepted.
Threshold based filtering : Threshold‐based filtering works by keeping statistics on the packets received and monitoring for threshold crossings based on configured time intervals and threshold levels. A database to maintain packet counts and a monitoring module to detect and enforce threshold crossings.
Features of SCADA Aware Firewall
RCICSS 97
Centre for Development of Advanced Computing
Signature based : Attack scenarios exploiting the vulnerabilities in Modbus, DNP 3.0, ICCP, IEC 60870‐5‐104 and DACS is transformed into corresponding signature rules in the onboard NIDS
Anomaly based : Detects zero‐day attacks based on statistical samples of network or host operating information (like CPU utilization rate, number of failed login attempts etc) and its deviation from the norm.
Provision to manually import persistent alerts from Anomaly based IDS mode as a signature rule in the Signature based IDS mode, after an expert verifies it and validates it as a possible attack scenario
Features of NIDS
RCICSS 98
Centre for Development of Advanced Computing
To address SCADA vulnerabilities it is proposed to enrich the RTU developed by C‐DAC with the following security enhancements
Role Based Access ControlSecurity enhanced SCADA protocolKernel OS hardeningData Authentication
Security Hardened RTU/Controller
99
Centre for Development of Advanced Computing
Role‐based Access Control (RBAC) is a method of regulating access to RTU resources based on the roles of individual users within an organizationAccess control provides improved security by allowing users access to only certain permissions
Role Based Access Control
100
Centre for Development of Advanced Computing
SCADA Forensics‐ System Architecture & Tools
SCADA Computer SystemsSCADA Computer Systems
• Control Layer Nodes• Control Layer Nodes
• Intelligent electronic devices
• Intelligent electronic devices
• Field devices• Field devices
• Forensics Data Acquisition Tool Suite
• Forensics Data Acquisition Tool Suite
RTU
Computer Disk/ Memory/ Log Acquisition Tool
RTU / PLC Non‐volatile Memory Acquisition Tool
Intelligent Field device Non‐
volatile memory Acquisition Tool
SCADA Forensics Analysis Tool
Forensics Image