A Cyber Infrastructure SCADA Testbed Environment for Research on the Nation\'s Critical Infrastructure
1. A Cyber Infrastructure SCADA Testbed Environment for
Research on the Nation's Critical Infrastructure
Christopher Klaus
Cyber Defense Laboratory
Western Kentucky University
SCADA Cyber Attack Data
Warehouse User Facility
UNCLASSIFIED
1
2. Significations of SCADA Vulnerabilities
Maroochy Shire Sewage Spill
In 2000, a disgruntled rejected employee remotely accessed sewerage pumping stations,
releasing millions of liters of raw sewage into nearby rivers and parks.
Davis-Besse power plant
In 2003, the Nuclear Regulatory Commission confirmed the Slammer worm infected
Davis-Besse nuclear power plant's SCADA network, disabling a safety monitoring system
for nearly 5 hours and the plant’s process computer for almost 6 hours.
SX Train Signaling System
In 2003, the Sobig virus infected the CSX train control computer, shutting down the
train/track signaling systems in the entire east cost of the U.S. Train services were
delayed for 4 to 6 hours.
Worcester Air Traffic Communications
In 1997, a teenager knocked out phone service at the control tower, airport security, the
airport fire department, the weather service, and carriers that use the airport. Also, the
tower’s main radio transmitter and another transmitter that activates runway lights were
shut down, as well as a printer that controllers use to monitor flight progress.
2
UNCLASSIFIED
3. Objectives
Initiate a testing model of competing teams (Red & Blue) to
alternatively attack and defend a target SCADA system being evaluated.
Implement INTERROGATOR architecture with example SCADA
systems to capture SCADA cyber attacks [network traffic data].
Store SCADA cyber attack data in NACMAST Enterprise Data
Warehouse.
Demonstrate research utility of SCADA vulnerability testing, and of
stored SCADA cyber attack data.
Expand the model from a SCADA Laboratory to the Biosphere 2 for a
SCADA Testbed User Facility for use by various researchers.
Make the SCADA cyber attack data on the NACMAST Enterprise Data
Warehouse available for use by researchers as another component of
the User Facility.
3
UNCLASSIFIED
4. F O U R C O M P O N E N T S
• SCADA Laboratory
• INTERROGATOR Architecture
• NACMAST Enterprise Data Warehouse
• Biosphere 2
User Facility
Hardware Overview
UNCLASSIFIED
4
5. SCADA Laboratory
5
UNCLASSIFIED 5
Motors, Drives,
Actuators
Sensors and other Input/Output
Devices
Programmable Logic
Controllers (PLC)
Human Machine
Interface (HMI)
PC Based
Controllers
Ethernet
Remote Terminal
Unit (RTU)
A SCADA Laboratory will
be an initial environment
for performing and
defending against SCADA
Cyber attacks.
This environment will also
allow testing of
appropriate data capture
methods and confirm the
research utility before
expanding to the level of a
User Facility.
SCADA
Laboratory
Firewall
7. NACMAST Enterprise Data Warehouse
Description
A large capacity warehouse to
hold Cyber attack data for
retrospective analysis.
A matrix of storage arrays for
both DoD and non-DoD
purposes
Mission
To perform retrospective
analysis on Cyber attack data
To develop tools to aid in
retrospective analysis
Status
Ready to collect and store
SCADA cyber attack data
UNCLASSIFIED
7
8. Biosphere 2 as a User Facility
8
UNCLASSIFIED
The Biosphere 2 is currently
controlled by SCADA systems.
The Biosphere 2 is a good
representative of Critical
Infrastructures.
Leveraging the SCADA
Laboratory implementation, the
Biosphere 2 would gain the
ability to capture SCADA cyber
attacks.
9. F O U R C O M P O N E N T S
• Red and Blue Teams
• SCADA Cyber Attack Data Analysis
• Vulnerability Evaluation of Industry SCADA Systems
User Facility
Research Overview
UNCLASSIFIED
9
10. Red and Blue Teams
Red & Blue teams would alternate attack and defense
activities using the SCADA Laboratory and eventually the
Biosphere 2.
These teams would development SCADA cyber attacks and
defenses against attacks, such as:
Unauthorized Command Execution
SCADA Denial of Service
SCADA Man-in-the-Middle
Replay
Malicious Service Commands
SCADA cyber attack profiles will be stored for training and
research.
UNCLASSIFIED
10
11. SCADA Cyber Attack Data Analysis
Utilization of Autonomic Cyber Security to detect abnormal
behavior.
Classification of known SCADA cyber attacks using data
mining techniques (e.g. neural networks, wavelet analysis,
genetic algorithms).
Pattern recognition of SCADA cyber attacks using data
mining techniques .
Neural network prediction of SCADA cyber attacks based
on identified patterns.
11
UNCLASSIFIED
12. Vulnerability Evaluation of SCADA Systems
Installation of SCADA systems from various vendors
could be tested with the SCADA cyber attack
profiles to determine vulnerabilities.
Methods used to harden other SCADA systems
against such attacks could then be applied to
determine if these defensive methods work for that
vendor’s system.
12
UNCLASSIFIED
13. O N E C O M P O N E N T
• NACMAST Enterprise SCADA Training
User Training Overview
UNCLASSIFIED
13
14. NACMAST Enterprise SCADA Training
Training for researchers, analysts and other
participants will covers User Facility components
SCADA cyber attack data on the NACMAST Enterprise Data
Warehouse
Utilization of the Biosphere 2 for specific SCADA systems
Training encompasses:
Requirements for SCADA system installation at Biosphere 2
Best practices for Red and Blue team attack and defense activities
with SCADA systems.
Use of IDS tools available NACMAST Enterprise Data Warehouse
Vulnerability assessment of SCADA systems
Threat assessment
Methods to harden SCADA systems
Research using stored SCADA cyber attack data
UNCLASSIFIED
14
15. Summary
Prototype a SCADA Testbed environment that allows
capture of SCADA cyber attack data.
Collect a variety and significant amount of SCADA cyber
attacks in the NACMAST Enterprise Data Warehouse.
Utilize Red & Blue teams for one method of research and
analysis of stored data for another method.
Leverage knowledge gained to turn the Biosphere 2 into a
SCADA Cyber Attack Data Warehouse User Facility.
Invite researchers to utilize this User Facility.
Invite industry to implement their SCADA systems for
vulnerability testing.
15
UNCLASSIFIED