Securing SCADA Systems with Open Source Software

Athar Mahboob
Faculty of Engineering & Applied Sciences DHA Suffa University Karachi, Pakistan E-mail: athar.mahboob@dsu.edu.pk

Junaid Ahmed Zubairi

Department of Computer and Information Sciences State University of New York at Fredonia Fredonia NY 14063, USA E-mail: zubairi@fredonia.edu can be configured to detect anomalies in the user interactions to determine that an intrusion is taking place. In the work reported earlier [2], we have proposed the network traffic monitoring as a tool to detect anomalies such as excessive flow of commands and data on the network links. It can be used in addition to the other measures and tools deployed on the network. Mostly the SCADA network would carry normal traffic with regular updates from RTUs and sensors. In case of an emergency situation such as a fire or malfunction, the network traffic would increase to an abnormally high value which is termed by some as the worst case scenario. The network traffic volume due to intrusion would probably be in the middle of these two points and therefore it would be easier to detect an intrusion when the traffic detection is combined with other monitoring tools. A three color marker scheme can be deployed similar to trTCM [3] in which the traffic exceeding the peak limit is tagged red and the traffic between normal and peak limit can be tagged as yellow. Several interesting scenarios can be defined with respect to the current conditions and volume of the traffic. For example, if the traffic volume is nearing the worst case scenario however sensors and alarms are not reporting any extraordinary situation and no new equipment is being commissioned, it can be detected as an intrusion. Open source software has been established as a viable alternative to the commercial software through the efforts of thousands of volunteers coordinating the development work through Internet communications. Most of the open source software uses the well tested Linux platform and released under GNU public license. Several security tools have been developed with open licenses including snort (http://www.snort.org/), nmap (http://nmap.org/), ntop (http://www.ntop.org/) and nagios (http://www.nagios.org/). OSSIM is a SIEM (Security Information and Event Management) system that brings together some of the best well tested and trusted open source security tools and provides an easy to configure GUI environment. It allows installation of OSSEC (Open source security) agents in the hosts to provide intrusion detection capabilities in each computer of the domain. In this paper, we report our work in configuring OSSIM for the purpose of ensuring SCADA system security and creating a test and simulation environment for experimenting with security of industrial control systems. Rest of the paper is divided into two sections. In the next section, we discuss the SCADA protocols and standards followed by SCADA vulnerabilities and issues. In section 3, we discuss how to configure OSSIM
193

Abstract Industrial SCADA systems are deployed all across the globe for refineries, water treatment, nuclear power plants, oil fields and process plants. SCADA systems are vulnerable to attacks by hackers which can damage expensive equipment and jeopardize human health and safety in large areas. In this paper, we define SCADA security related issues and discuss the current security tools and techniques. Later, we describe our experiments in configuring SCADA security using open source security software tools available under Linux operating system. A systematic method of securing SCADA systems with such tools is described and the results are discussed. Keywords; SCADA Security, Honeypot, Industrial Control System, OSSIM, Linux

I.

INTRODUCTION

In this paper, we take a look at the security issues and vulnerabilities in Industrial SCADA (Supervisory Control and Data Acquisition) systems and present a security console configuration for securing SCADA systems. SCADA systems are industrial control systems configured to control vital installations for the industrialized countries and their associated wide manufacturing base. For a long time, SCADA systems were protected with obscurity and isolation. The systems were not connected to the Internet and the console commands were difficult for hackers to manipulate. However, with increasing proliferation of networking and development of GUI command and control environment, it has become much easier for hackers to penetrate into the once secure SCADA world and to disrupt and disable the operation of expensive equipment causing huge losses to the industry. The hackers can attack SCADA system to obtain access to SCADA master control station, compromise RTU (Remote Terminal Unit) or local PLC (Programmable Logic Controller), spoof RTU and send incorrect data to master control station, shutdown RTU and modify RTU control program [1]. The losses caused by such intrusions run into millions of dollars with potential health and safety hazards for large populations. Therefore, it has become increasingly important to provide security to the SCADA systems. There are many options available to the SCADA operators to provide security to the industrial control network. These options include some of the common sense actions such as enforcing stronger authentication services and removing or disabling extra features, services and options. In addition, the IDS (Intrusion Detection Systems)
978-1-4799-2569-8/13/$31.00 2013 IEEE

for SCADA security, simulate the attacks on an experimental testbed and derive conclusions for ensuring that the ICS (Industrial Control System) is fully secure. II. SCADA PROTOCOLS AND SECURITY VULNERABILITIES

MODBUS is a serial communications protocol developed by Modicon for communications with PLCs [4]. It is an application layer protocol in which supporting protocols may also be used. Typical Modbus transactions consist of data units that contain instructions for server to complete a requested action. Modbus is restricted to 247 devices on a data link and it does not support large binary objects. Another popular SCADA protocol is known as DNP3 [5]. It is used by utility companies for issuing commands to open and close relays or valves and to get the readings of data from sensors. It has been selected for IEEE C.2 Task Force; RTU to IED Communications Protocol. In DNP3, master station communicates with outstations controlling multiple RTUs by using serial or IP communications. Additional SCADA Protocols that operate over LAN/WAN include IEC870-5-101, IEC870-5-103 and TASE.2. The main difference between serial and IP based protocols is the fact that the serial protocols used a modem to access the remote units. If the underlying channel was a high bandwidth channel, it would be possible to use IP networking by doing a PPP session between modems. All the modern RTUs are loaded with high computing power and IP-ready networking thus making it possible to easily connect the system to the Internet[6]. The main control room for a SCADA system has at least two sets of identical consoles for redundancy and for allowing two groups of operators to interact with the system. Initial configuration and commissioning of the system generates a lot of back and forth traffic. However, once the SCADA system is commissioned, normal traffic is at a much lower level, consisting of analog values that are digitized and sent to the master station for data logging. By design, SCADA needs expanded authentication mechanisms. There are two ways to interact with the system. The operator can interact with the system on site, i.e. directly in the physical facility. Any intruders can be prevented by physical security of the facility. In addition, the operator can remotely control the system by using IP based communication over remote links that may be radio links or wired links. The remote management is more prone to attacks as the authentication is only restricted to software based techniques unless a hardware device is attached by the operator to provide authentication. Additional security risks are created when wireless networking is added to the facility using fixed or mobile access points. Once the hacker gains access to the SCADA LAN, several attacks can be carried out without requiring much knowledge of the network itself. For example, the hacker can create excessive traffic directed towards the whole LAN or to a specific master station causing it to become unresponsive. The hacker can also generate and send broad and general commands such as reset, reboot etc. directed to RTUs shutting down operational equipment. Such attacks must be prevented by

using a combination of NIDS (Network based Intrusion Detection) and HIDS (Host based Intrusion Detection) [6]. Earlier the "Air Gap" principle was prescribed to keep SCADA network isolated from other networks and was considered a best practice. At present, most experts agree that the ideal of physically isolated SCADA systems and networks has to be relegated to an archaic and utopian concept [10]. This leaves no option but to apply the best of breed information security technology to protect SCADA systems. As SCADA systems increasingly resemble standard TCP/IP based systems, information security tools which matured in the TCP/IP community under the open standards and open source paradigms merit full consideration for their protection. There is no doubt that commercial vendorproprietary solutions have long dominated the market when it comes to niche segments such as SCADA and ICS. Economic considerations and technical justifications may force the use of open source information security tools to secure SCADA systems and ICS. III. EXPERIMENTS IN CONFIGURING SCADA SECURITY

In this section, we describe how the open source security tools can be used to design an experimental testbed for SCADA security. The threats to cyber infrastructure of industrial plants pose a recurring problem requiring the information security experts and industrial control designers to collaborate on securing such systems. Inevitably the new industrial control systems utilize Internet and web based technologies therefore there should be multiple layers of security woven around the industrial systems utilizing many of the existing security tools for the traditional Internet. A Security Information and Event Management System (SIEM) aims to collect relevant information from various security and information processing tools in one place and process it to create a security picture of the organization. The benefit of SIEM systems lies in the fact that they are able to unify security information from disparate sources such as firewalls, IDS/IPS, application servers, VPN gateways, routers, switches, etc. and identify threats in almost realtime. OSSIM is an open source project which combines a number of best of breed open source security tools with an event collection and analysis framework to create a Security Information and Event Management System (SIEM). The OSSIM framework performs Event Normalization and Correlation of Events from different sources such as firewalls, IDS/IPS, routers, anomaly detectors, network switches and applications with each other, with IT assets and the known vulnerabilities of deployed software and systems to generate security alarms. The idea is to minimize false positives and generate more actionable and meaningful intelligence for Information Security Officers. By maintaining a long term record of events in the SIEM database, the system also builds foundations for systematic forensic and historical analysis to detect security vulnerabilities and abuses over a long term. OSSIM has been under development for more than a decade. Its major benefit is that OSSIM combines best of breed open source tools to

194

create a formidable SIEM solution. OSSIM is distributed as an installable ISO CD image. AlientVault, the company behind OSSIM also sells commercial versions as optimized instances on hardware appliances of various configurations which include an event log digital signing solution usable for legal purposes. With the increased interest in protecting SCADA/ICS systems AlientVault is also pitching OSSIM as a Unified Security Management (USM) solution for critical infrastructures [11]. However, our focus in this work is to create a testbed which can be used for learning, training and research using the open source OSSIM.

voltage, current and status of a protective relay and change randomly to simulate a live PLC. Additionally, Internet services such as HTTP, FTP etc. are configured. The attacker would need a Modbus configured client to modify the values and thus interfere with the operation of the PLC. The virtual machines are all operated on a single physical computer running VirtualBox hypervisor. OSSIM is installed as a unified framework and sensor instance. The Honeywall VM is running a web-based management interface Walleye (eye on the wall). This enables the Honeywall manager to configure various data capture

Figure 1: Experimental Setup [7] In order to perform experiments in SCADA security, a testbed is configured as shown in Figure 1. The concept of the testbed is taken from [7]. However, the project in [7] has not been updated for a number of years. In [8] the authors also describe an attempt to utilize the concept of [7] in a more recent software environment. We have setup the testbed using the VirtualBox hypervisor from Oracle [9] on the latest Ubuntu Linux distribution. In this setup, a Modicon Quantum PLC is simulated by a Virtual Machine produced as part of SCADA Honeynet project by Digital Bond Inc [7]. The SCADA Honeynet exposes the Modbus TCP protocol and provides data points list from an electric substation. These data points represent options as well as set data collection and reporting/alerting preferences. Snort is used for intrusion detection. Wireshark provides packet capture capabilities. Sebekd enables keystroke logging even in encrypted environments. Argus collects network statistics and MySQL is used for data storage. There are many configuration options available for providing a high degree of flexibility to the Honeynet administrator. Various aspects of configuration of testbed components are summarized in Table 1. Important services running on these components are also listed with their important configuration parameters in the table.

195

Table 1: Services and Hosts in SCADA Security Testbed Host Hardware OS & Major Software Configuration Kernel Services OSSIM 2X CPU Cores Server 2 GB RAM (Unified Sensor and Framework) 1X NIC 10.0.0.10 Debian 6.0.7 Linux 2.6.32 ossim-framework, ossec, snort, mysql, nfsens, ntop, rsyslog, ossim-agent, ossim-framework, apache, monit, nagios

PLC

1X CPU

10.0.0.3 and 512 MB RAM Linux 10.0.0.5 2X NIC 2.6.15

Ubuntu FTP Service 6.06LTS (tcp/21) (iftp/java) HTTP Service (tcp/80) (fizmez/java) Modbus TCP Service (tcp/502) (jamod/java) Honeyd 1.5b Listening on 10.0.0.5 (/usr/share/honeyd)

action by the Information Security Officer to apply patches or plug the security holes. The next scheduled vulnerability scan may be used to confirm whether the vulnerability has been addressed successfully. OSSIMs event processing identifies each event from a distinct source with a unique identifier called the plugin ID. An OSSIM plugin is a collection of regular expressions which are used in matching the event log text string to generate the normalized values to be used to insert in events database. Each event source in OSSIM has a value of reliability associated with which is a number from 0 to 10. A low reliability is assigned to noisy event sources such as IDS which generate a lot of false positives whereas a source such as Virus Detection software or Directory Server software which tend to generate more certain security related information may be assigned a high reliability like 8, 9 or 10. Events are classified based on a standard taxonomy which assigns the event an Event ID once the corresponding plugin has performed regular expression matching of the event string as received from an event source by centralized log collection node. Each event has associated with it a priority value which is a number ranging from 0 to 5. Events which have a severe security implication are assigned numbers nearer to 5 and those which are benign are assigned lower priority values. Each event is processed in OSSIM and assigned a numerical Risk value which is calculated as follows: Event Risk = Value Priority Source Reliability / 25 Asset value is a number ranging from 0 to 5 and is assigned to an asset in OSSIM by the Information Security Officer based on assets importance to the organization. Since all SCADA components are highly critical they are expected to be assigned a value of 5. Once the calculated Risk value of an event exceeds a configurable threshold such as 2.0, an alarm can be generated and will show on the OSSIM dashboard. Alarms can be converted into Tickets which are assigned to Information Security or Information Technology team members to resolve the security issue identified by the alarm. The threshold for generation of Alarm can be tuned by the Information Security Officer over a period of time actual experience with the particular SCADA setup. The idea is to minimize false positives and focus Information Security Officers time and energy on actual threats. OSSIMs event processing has several other advanced features which include policies and directives. Policies are defined by the Security Officer to alter the default asset value or event source reliability or event priority based on parameters related to event such as the event source or time of the day, etc. This allows fine tuning of event processing as per organizational requirements. Directives are OSSIMs mechanism to perform correlation of events. Correlation is the SIEMs generation of meta events by relating events received from sensors and event sources with assets, known vulnerabilities and with each other. There are three types of correlation supported by OSSIM. The basic correlation is the

Honeypot

1X CPU 512 MB RAM 3X NIC

Fedora Core 3

Walleye, Sebekd, MySQL, Argus, Snort

Physical Host

Intel Core i7 Quad Core with 4MB Cache 8 GB RAM 2X NIC

Ubuntu 13.10 Linux 3.11.012

Oracle VirtualBox 4.2.16

The next step is to configure and operate a PLC scan from OSSIM dashboard. As shown in the screenshot in Figure 2, the OSSIM dashboard provides an easy and convenient way to configure the scanning of the PLC using the OpenVAS vulnerability scanner. All the virtual hosts are identified by their IP addresses. Once the host is added to assets manually or through automated discovery, scanning for vulnerabilities may be scheduled. OSSIM provides for periodic scheduled vulnerability assessment scanning and generates detailed report. This report can form the basis for

196

Figure 2: OSSIM Dashboard for PLC Scanning logical correlation where events are correlated with other events within a window of time after a triggering event has occurred. This could, for example, be used to generate an alarm in case of multiple password authentication failures within a short period of time. The other type of correlation is the cross correlation in which an event is correlated with a vulnerability identified by a vulnerabilities database. The vulnerabilities database is updated from the Internet periodically. Finally, the inventory correlation is used to correlate events with known vulnerabilities in the assets of the organization. In our testbed there is a Snort IDS instance running on OSSIM server and another one on the Honeywall VM. The transfer of Snort events from the Honeywall VM to OSSIMs events database is done by enabling the snort plugin on OSSIM server and configuring OSSIMs rsyslog to accept remote events. At the same time since the syslog daemon running on Honeywall VM is a different software, its specific configuration is used to transfer snort events to the remote syslog server by using @OSSIM_SERVER_IP in the action field of the syslog configuration entry in /etc/syslog.conf. During this effort of integrating a virtual PLC with a SIEM and Honeynet system to create a realistic SCADA/ICS security testbed for training and research we have observed the following shortcomings: Software on Honeywall needs to be updated so that it can integrate easily with the SIEM. This may require the creation of an entirely new VM on a more recent Linux distribution using more recent versions of all the software components of the Honeywall. An updated honeyd somewhat on the lines of HoneyDrive project [12] appears a feasible option. Furthermore, use of the OSSIM plugin honeyd to process events on the SIEM needs to be explored. Enhancing OSSIM to accept MODBUS events using a plugin to create a taxonomy of SCADA related events so that these could be used to generate alarms in OSSIM and also be used in correlation directives within OSSIM. In this connection we are exploring the use of Digital Bonds PortalEdge SCADA/ICS event classification and normalization project [13] for integration with OSSIM. A modbus client to generate malicious requests for the virtual PLC needs to be integrated in the testbed. We are currently working with MOD_RSSIM [14] to achieve this objective.

We intend to continue our efforts to overcome the shortcomings identified above and develop a more easily replicable and maintainable SCADA Security testbed for research and training in SCADA security using open source software. IV. CONCLUSION Industrial SCADA systems have become vulnerable to attacks due to the ubiquity of networks and the development of Internet based SCADA control and configuration tools. Each SCADA system involves very expensive and critical equipment and therefore the risks and penalties of intrusion are formidable. In this paper, we presented the SCADA security vulnerabilities and implementation of a proposed

197

experimental testbed for assessing the effectiveness of open source security monitoring tools in securing SCADA systems. However, we have discovered that more integration and software updating effort is required to complete the testbed. REFERENCES
[1] [2] [3] [4] [5] [6] [7] [8] R. Krutz, Securing SCADA Systems, John Wiley Publishers 2006, ISBN 978-0-7645-9787-9. A. Mahboob and J. Zubairi, Intrusion Avoidance for SCADA Security in Industrial Plants, Proc. CTS 2010, Pages 447-452, IEEE Digital Library. J. Heinanen et. al. A Two rate Three Color Marker, RFC2698, Internet Engineering Task Force, http://tools.ietf.org/html/rfc2698, last accessed Oct 14 2013. Wikipedia online Modbus http://en.wikipedia.org/wiki/Modbus last accessed Oct 7th 2013. DNP Users Group, Overview of the DNP3 Protocol, http://www.dnp.org/pages/aboutdefault.aspx last accessed Oct 7th 2013. W. Shaw, Cybersecurity for SCADA Systems, Pennwell Publishers 2006, ISBN 978-1-59370-068-3. SCADA Honeynet, http://www.digitalbond.com/tools/scadahoneynet last accessed on October 10, 2013. Wade, Susan Marie, "SCADA Honeynets: The attractiveness of honeypots as critical infrastructure security tools for the detection and analysis of advanced threats" (2011).Graduate Theses and Dissertations. Paper 12138. Oracle VM VirtualBox, https://www.virtualbox.org/ Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security, NIST Special Publication 800-82 (INITIAL PUBLIC DRAFT) AlientVault Press Release, ALIENVAULT RELEASES SCADA SIEM FOR CRITICAL INFRASTRUCTURE PROTECTION, available at

[12] [13] [14]

http://www.reuters.com/article/2011/05/26/idUS183336+26May-2011+BW20110526 HoneyDrive Virtual Appliance (OVA) with Xubuntu Desktop 12.04, http://bruteforce.gr/honeydrive Digital Bond, PortalEdge SEM Integration, http://www.digitalbond.com/tools/portaledge/portaledge-semintegration/ MOD_RSSIM, Modbus PLC Simulator, http://www.plcsimulator.org/

Junaid Ahmed Zubairi received his BE (Electrical Engineering) from NED University of Engineering, Pakistan and MS and Ph.D. (Computer Engineering) from Syracuse University, USA in 1991. He worked in Sir Syed University Pakistan and Intl' Islamic University Malaysia before joining SUNY at Fredonia in 1999 where currently he is a Professor in the Department of Computer and Information Sciences. Dr. Zubairi is a recipient of many grants and awards including Malaysian Government IRPA research award, NSF MACS grant and multiple SUNY scholarly incentive awards. His research interests include network traffic engineering, network protocols and applications of networks. He has edited books on network applications and security and published several peer reviewed chapters, journal articles and conference proceedings papers. He can be reached at zubairi@fredonia.edu. Athar Mahboob received his BS and MS degrees in Electrical Engineering from Florida State University, USA in 1992 and 1995, respectively. He received his PhD with specialization in Information Security & Cryptology from National University of Sciences & Technology, Pakistan in 2005. He is currently a Professor of Electrical Engineering at DHA Suffa University, Karachi, Pakistan. His research interests and areas of professional practice include efficient implementation of cryptographic algorithms in hardware and software environments, implementing and securing Enterprise Information Services using Linux and open source software. He has received the civil award of Tamgha-eImtiaz, Pakistan on 14 August 2012. He can be reached at athar.mahboob@dsu.edu.pk.

[9] [10] [11]

198