Composing NS2 enterprise network model and SCADA devices

In [69] a simulation environment for analyzing and assessing the security of SCADA system and associated industrial infrastructure is described. The hierarchical structure and communication model of SCADA system is presented. A SCADA system consisting sensors acquiring data, actuators

Programmable Logic Controllers (PLCs) performing logical

or Master Terminal Unit (MTU) acquiring data and sending control instructions, Machine Interface (HMI) displaying data for

forms, database servers storing historical data, workstations

debugging systems, business information systems for specific industrial applica various types of communication devices, etc

The simulation environment,

simulated enterprise network, customizable OPC client/HMI, integrated industrial OPC server, extensible SCADA protocol tester, several prevalent SCADA RTUs,

and actuators flexibly deployed in specified scenario. The components considered in the

till the industrial infrastructure

with certain type or format through Internet browser or special application, and the data packets are sent to OPC server or SCADA protocol tester across the simulated enterprise network. OPC server may also receive control instructions from the customized OPC client/HMI, and send the data acquired from underline industrial process to OPC client/HMI. On the other hand, SCADA protocol tester can generate the associated data units of the tested SCADA protocol through GUI or the customizable scripts, send them to lower SCADA RTUs, supervise and acquire the response data, and effectively analyze the functionality of SCADA protocol and its specification conformance and security status.

RTU determines the specified RTU devices based upon the specific protocol type, receives

Overview of modelling techinques and tools for SCADA systems

Final version

Figure 7-11 I2Sim scenario

enterprise network model and SCADA devices

a simulation environment for analyzing and assessing the security of SCADA system and associated industrial infrastructure is described. The hierarchical structure and

CADA system is presented. A SCADA system consisting acquiring data, actuators controlling industrial devices, control devices

Programmable Logic Controllers (PLCs) performing logical control, central SCADA servers (MTU) acquiring data and sending control instructions,

Machine Interface (HMI) displaying data for operators and providing various control input database servers storing historical data, workstations engineers detecting and debugging systems, business information systems for specific industrial applica

various types of communication devices, etc) is considered.

figure 7.12, consists of several layers, mainly

simulated enterprise network, customizable OPC client/HMI, integrated industrial OPC nsible SCADA protocol tester, several prevalent SCADA RTUs,

and actuators flexibly deployed in specified scenario.

components considered in the reference architecture start from the e

re. In such an architecture, network client sends data packets with certain type or format through Internet browser or special application, and the data packets are sent to OPC server or SCADA protocol tester across the simulated enterprise server may also receive control instructions from the customized OPC client/HMI, and send the data acquired from underline industrial process to OPC client/HMI. On the other hand, SCADA protocol tester can generate the associated data units of the CADA protocol through GUI or the customizable scripts, send them to lower SCADA RTUs, supervise and acquire the response data, and effectively analyze the functionality of SCADA protocol and its specification conformance and security status. The layer of SCADA RTU determines the specified RTU devices based upon the specific protocol type, receives

Page 103 on 153

model and SCADA devices

a simulation environment for analyzing and assessing the security of SCADA system and associated industrial infrastructure is described. The hierarchical structure and CADA system is presented. A SCADA system consisting of controlling industrial devices, control devices (such as control, central SCADA servers (MTU) acquiring data and sending control instructions, Human operators and providing various control input engineers detecting and debugging systems, business information systems for specific industrial applications, and

l layers, mainly NS2 based simulated enterprise network, customizable OPC client/HMI, integrated industrial OPC nsible SCADA protocol tester, several prevalent SCADA RTUs, and the sensors

start from the enterprise network . In such an architecture, network client sends data packets with certain type or format through Internet browser or special application, and the data packets are sent to OPC server or SCADA protocol tester across the simulated enterprise server may also receive control instructions from the customized OPC client/HMI, and send the data acquired from underline industrial process to OPC client/HMI. On the other hand, SCADA protocol tester can generate the associated data units of the CADA protocol through GUI or the customizable scripts, send them to lower SCADA RTUs, supervise and acquire the response data, and effectively analyze the functionality of The layer of SCADA RTU determines the specified RTU devices based upon the specific protocol type, receives

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 104 on 153

the control instructions sent from upper layer, and controls the actuators to perform corresponding actions or controls the sensors to acquire corresponding data. The supervised industrial infrastructure usually implemented in the way of computer simulation, which supports the flexible and customizable industrial scenario simulation and specific process supervisory control and data acquisition.

Figure 7-12 Reference Architecture of SCADA Simulation Environment [69]

Enterprise network with the appropriate scale base is simulated by NS2 emulation (NSE). Emulation refers to the ability to introduce the simulator into a live network. Special objects within the simulator are capable of introducing live traffic into the simulator and injecting traffic from the simulator into the live network. The interface between the simulator and live network is provided by a collection of objects including tap agents and network objects. Tap agents embed live network data into simulated packets and vice-versa. Network objects are installed in tap agents and provide an entry point for the sending and receipt of live data. When using the emulation mode, a special version of the system scheduler is used: the RealTime scheduler.

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 105 on 153

A TCP agent within NS2 interacts with a real-world TCP server and can receive data from the external application (figure 7.13).

Figure 7-13 Packets generated by TCP agent interacting with a real world TCP server [69]

OPC server acquires the industrial field data from PLC/RTUs, and send it back to OPC client application via standard OPC interfaces. OPC client application (usually refers to as HMI) displays the received industrial process data, and sends the control instructions to OPC server, which then delivers to PLC/RTUs.

As OPC server, Citect Company’s CitectSCADA 6.1 has been used. The system is composed by software installed on standard computer equipment running on Microsoft Windows XP operating system, and delivers scalable and reliable supervision and control. As OPC client, they implemented an extension of open source JEasyOpc project [70], used in the experiments of security analysis and assessment of SCADA systems.

SCADA protocol tester simulates the execution of SCADA protocols based upon the protocol specifications. The protocol simulation layer provides the simulations of several SCADA protocols (including Modbus, DNP3, etc), and the functions of event scheduling and the sending and receipt of protocol packets.

Several real PLC/RTUs (GE FANUC Rx3i, VersaMax, SIEMENS S7200, S7300, ICPDAS Wincon8741 and 8ke8, etc) have been adopted, as industrial field control devices. The supervised industrial infrastructures are implemented in the way of simulation, and the environment currently could simulate a few typical industrial scenarios based upon the specified configurations, which provide the required industrial field data for the simulation system, and can respond to the control instructions. PLC/RTUs connect with sensors and actuators with digital or analog I/O, equipped with Industrial Ethernet module and

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 106 on 153

multiprotocol module, and support several protocol types including Modbus-TCP, Profibus, DeviceNet, and Genius, etc.

A representative attack scenario has been developed for the experimentation. Such an attack scenario involves the following steps:

Step 1: Gain Access to Simulated SCADA System 1.1 Gain remote network access to enterprise network

1.2 Compromise the connection device between enterprise network and SCADA system Step 2: Identify Modbus Device through Protocol Scan

2.1 Gain local SCADA access via enterprise network

2.2 Scan 502/tcp port for identifying the characteristics of Modbus device Step 3: Compromise Master Device via Vulnerability Exploitation

3.1 Disable real slave device

3.2 Deploy rogue slave respond to Modbus requests from master 3.3 Corrupt master with invalid slave response

3.4 Load shell exploitation to master

From the above SCADA system attack experiments, the authors conclude that such a proposed environment can simulate the whole process of SCADA system attack, and provide an effective means to analyze and assess the security of SCADA system.