Cdl Scada Poster V2
- 1. Cyber SCADA Research for the Nation's Critical InfrastructureCyber SCADA Research for the Nation's Critical Infrastructure CHRISTOPHER KLAUS*, KEITH ANDREW, and MICHAEL VOGT AbstractAbstract SCADA systems used to control critical infrastructure systems have increasingly become part of our CyberInfrastructure by utilizing the Internet for SCADA communications. Unfortunately SCADA systems were not built with cybersecurity in mind to defend against vulnerabilities inherent with Internet communications. There is a clear need to develop Cyber SCADA Research for the Nation's Critical Infrastructure in order to identify and explore SCADA cyber attacks, correct existing vulnerabilities, and to help defend against these current and future attacks. Western Kentucky University’s Cyber Defense Laboratory (CDL) presents this poster to discuss methods of utilizing advanced pattern recognition, classification, trend predictions and autonomic computing from other challenging disciplines to research SCADA intrusion analysis and prevention. While federal agencies have cyber defense data warehouses for classified data, currently no equivelent unclassified data warehouse is available to academic researchers. The immediately puts a bottle-neck in any attempt to train cyber-security personnel and provide a defense against the rapidly growing cyber threats. The CDL has the largest non-government agency owned classified data warehouse for cyber attack data, called ARL NACMAST. Our strategy leverages this existing infrastructure to create a Cyber Attack Unclassified Data Warehouse for SCADA cyber attacks. This will promote and support the rapid development of effective SCADA Cyber Security research. References Plugfest, SCADA CYBER SECURITY WORKSHOP, Nov. 3, 2010, http://www.nacmast.com/scada-workshop AcknowledgementsAcknowledgements We thank Electronic Warfare Associates and the United States Army Research Laboratory for extensive support and grant funding this research. We also gratefully acknowledge the NACMAST crew and research scientists for supplying data and technical support. Special thanks also goes to WKU’s Advanced Research & Technology Program for aid in administering this grant. KAS Meeting Western Kentucky University Bowling Green, KY Nov. 12-13, 2010 Cyber Defense Laboratory, Western Kentucky University Electronic Warfare Associates Government Systems Inc. Department of Physics and Astronomy Bowling Green, KY 42101 Applied Physics Institute Argonne National Laboratory Army Research Laboratory Cyber Mapping, MTP EDaptive Computing Electronic Warfare Associates, GSI George Mason University Michigan State University Mississippi State University University of Arizona University of Louisville CDL Collaborators Motors, Drives, Actuators Sensors and other Input/Output Devices Programmable Logic Controllers (PLC) Human Machine Interface (HMI) PC Based Controllers Ethernet Remote Terminal Unit (RTU) SCADA Laboratory FirewallSCADA Laboratories at Western Kentucky University, Southern Methodist University, and University of Arizona are being configured as environments to explore SCADA cyber attacks. Each SCADA Laboratory will focus on separate Critical Infrastructure interests . CDL Data Warehouse Appropriate methods to capture network traffic data of SCADA cyber attacks are being explored. Initial testing of data capture is being performed by WKU and SMU with results from the Plugfest at the SCADA Cyber Security Workshop in Dallas, TX. SMU is replicating these attacks, which are captured and transferred to WKU’s CDL Data Warehouse. SCADA Laboratories Leveraging knowledge from data capture with the SCADA Laboratories, the Interrogator / Seminole Architecture will be modified to capture and analyze SCADA cyber attacks. Biosphere 2 The Biosphere 2 is controlled by SCADA systems, and is a good representative of a city’s Critical Infrastructure. Interrogator Architecture Computer Network Defense Analysts (CNDAs) at the CDL and Electonic Warfare Associates will review and document SCADA Cyber Attacks, utilizing network analysis tools within the Interrogator Architecture. CNDAs’ network assessments are based on NSA’s INFOSEC Assessment and Evaluation Methodology Red / blue teams have been created at each university comprised of researchers, faculty, students, and certified ethical hackers. These teams take turns at attacking and defending the SCADA Laboratories. In the future, it is intended that these teams take turns at attacking and defending the Biosphere 2. SCADA cyber attacks: • Unauthorized Command Execution, • SCADA Denial of Service, • SCADA Man-in-the-Middle, • Replay, and • Malicious Service Commands. Network traffic and CNDA documentation of SCADA cyber attacks will be stored in the CDL Data Warehouse. Network sensors will be place in the Biosphere 2’s infrastructure to monitor network traffic. Common SCADA equipment is/was utilized at the SCADA Laboratories and the recent Plugfest. The goal is to encourage industries supporting critical infrastructures to send their SCADA equipment to our laboratories for testing. Biosphere 2 would be utilized for testing interactions between large suites of SCADA equipment. SCADA controls are utilized in all critical infrastructures (electric, water, transportation, etc.). These images are from systems that have been compromised by ad hoc SCADA attacks. Stuxnet is the first example of a SCADA worm, which significantly increases the vulnerabilities of these infrastructures. SCADA cyber attacks are utilized by our research team. The goal is for the CDL Data Warehouse to become available as a user facility for other cyber security researcher teams. Research produces methods for defending and hardening SCADA equipment. Modules for better detection of SCADA cyber attacks will be developed for the Interrogator / Seminole Architecture. Interrogator is the Army Research Laboratory’s (ARL) current IDS architecture, which is utilized for DoD facilities. Seminole is a special ARL- derived IDS architecture for use with non-DoD participants. Current research Planned research