A collection of technical reports from the Intelligent Systems Research Laboratory
TR-ISRL-06-01 (PDF) "Literature Review of Security and Risk Assessment of SCADA and DCS Systems"
Abstract: The growing dependence of critical infrastructures and industrial automation on interconnected physical and cyber based control systems has resulted in a growing and previously unforeseen cyber security threat to SCADA and DCS systems. Industry organizations such as NERC and AGA as well as government organizations like NIST and SANDIA are responding to the cyber security threat faced by control systems and critical infrastructure through the development of guidelines, best practices, test beds, security tools and new technology. Published papers such as (Byres and Lowe, 2005; Miller, 2005; and Greer, 2006) describe the threats and vulnerabilities faced by SCADA and DCS systems and the challenges presented in attempting to secure these systems. Other papers, such as (Byres and Franz, 2006, Strickles, et al 2003) describe the application of existing security technologies and security practices. The articulation of risk is an important component of a comprehensive, realistic, and long term commitment to securing SCADA and DCS systems. Risk assessment methods such as HHM, IIM, and RFRM have been successfully applied to SCADA systems and have highlighted the need for quantifiable metrics. Quantifiable risk analysis falls under the general category of probability risk analysis (PRA) which includes methods like FTA, ETA, and FEMA. What is needed for SCADA and DCS cyber security risk analysis is to quantitatively determine the probability of an attack, the impact of the attack, and the reduction in risk associated with a particular countermeasure. Two recent methods, one based on compromise graphs and one on augmented vulnerability trees, have specifically targeted SCADA security.
TR-ISRL-06-02(PDF) "Evaluation of MILS and Reduced Kernel Security Concepts for SCADA Remote Terminal Units"
Abstract: This technical report investigates the benefits that the Multiple Independent Levels of Security (MILS) approach can provide to Supervisory Control and Data Acquisition (SCADA) remote terminal units. This is accomplished through a heavy focus on MILS concepts such as resource separation, verification, and kernel minimization and reduction. Two architectures are investigated to study the application of reduced kernel concepts for a remote terminal unit (RTU). The first is the LynxOS embedded operating system, which is used to create a bootable image of a working RTU. The second is the Pistachio microkernel, the features and development environment of which are analyzed and catalogued to provide the basis for a future RTU. A survey of recent literature is included that focuses on the state of SCADA security, the MILS standard, and microkernel research. The design methodology for a MILS compliant RTU is outlined, including a benefit analysis of applying MILS in an industrial network setting. Also included are analyses of the concepts of MILS which are relevant to the design and how LynxOS and Pistachio can be used to study some of these concepts. A section detailing the prototyping of RTUs on LynxOS and Pistachio is also included, followed by an initial security and performance analysis for both systems.
TR-ISRL-05-01 (PDF) "Supervisory Control and Data Acquisition Remote Terminal Unit Testbed."
Abstract: This technical report provides detailed information about the operation of the iFix supervisory control and data acquisition (SCADA) testbed in the Process Control Laboratory at the University of Louisville. This testbed uses a SCADA system to implement a water-level control system. The general guidelines described in this report can also be applied to controlling a binary-distillation column with this same SCADA hardware.
TR-ISRL-04-01 (PDF) "Security Considerations in SCADA Communication Protocols"
Abstract: Supervisory Control and Data Acquisition (SCADA) networks control the critical utility and process control infrastructures in many countries. They perform vital functions for utility companies including electricity, natural gas, oil, water, sewage, and railroads. However, little attention was given to security considerations in the initial design and deployment of these systems, which has caused an urgent need to upgrade existing systems to withstand unauthorized intrusions potentially leading to terrorist attacks. This research identifies threats faced by SCADA and investigates effective methods to enhance its security by analyzing DNP3 protocols, which has become a de facto industry standard protocol for implementing the SCADA communications. We propose cost-effective implementation alternatives including SSL/TLS, IPsec, object security, encryption, and message authentication object. This report evaluates implementation details of these solutions, and analyzes and compares these approaches. We also suggest new research directions to more adequately secure SCADA communications over the long run.
TR-ISRL-04-02 (PDF) "ESAgent: Expert System Control of Simulated Agent-Based Mobile Robots."
Abstract: A software application to demonstrate expert-system control of agent-based robots, named ESAgent (Expert System Agent), is described in detail in this technical report. This application uses JADE, the Java Agent DEvelopment framework, for the agent component and JESS, the Java Expert System Shell, for the expert system component. The system was tested using the Player/Stage simulation software.
TR-ISRL-04-03 (PDF) "Anomaly-Based Intrusion Detection for Network Monitoring Using a Dynamic Honeypot."
Abstract: A recent addition to the intrusion detection product line is a new technology called a honeypot. A honeypot provides an attacker with resources that appear to be actual production systems that are in reality decoy systems designed to be attacked. Observing interaction with the honeypot facilitates the observation and analysis of attacks and the detection of anomalies. This paper discusses the design of a dynamic honeypot. The dynamic honeypot configures, deploys, and maintains virtual honeypots on a network, using passive probing and dynamic templates to customize the virtual honeypots to the network and react differently depending on the source of the connection. This paper also discusses the design and implementation of a simple intrusion monitoring system using the dynamic honeypot. During initial testing an exploit attempt that was not detected by conventional intrusion detection was detected by the dynamic honeypot monitoring system.