Hydroelectric generation plants possess a number of cyberterrorism risks, which could cause significant problems like interruptions in the power grid or water leaks from the reservoir, among others. This presentation will discuss the vulnerabilities in the infrastructure of hydroelectric generation plants, some tools to check for them and several remediation techniques to avoid materialization of problems.
3. SCADA
• Supervisory Control and Data
Acquisition
• Platform used to monitor and control all
the variables of a real-time process
• Several variables to monitor
– Vibrations on the turbine rotor
– Flow speed of oil inside a turbine rotor
– Amount of electric charge passing inside an
electricity transmission line
4. Electrical process
• Three big steps
– Generation
– Transmission
– Distribution
• Energy is created using any of the
following methods
– Thermoelectrical plans
– Nuclear plants
– Hydro electrical plants
5. Electrical process (2)
• SCADA platform is vital to perform
the following when generation takes
place:
– Ensure turbines are not having
revolutions more than supported
– Generators are not working overloaded
– Energy being generated matches the
amount of energy that the transmission
line can handle
6. Electrical process (3)
• Transmission
– Energy being generated needs to be
distributed to reach the final users
– 115 KV is the power used to transmit in
the wire lines
– Final destination are the substations
that handles energy of a specific
amount of instalations
– Large number of blocks in a city
7. Electrical process (4)
• SCADA platform is vital to perform
the following when transmission
takes place:
– Monitoring of voltage in transmission lines
looking for high amount of electricity
flowing
– None of them can get overloaded because
protections get activated and a blackout
appears in all the installations that are
controlled by the affected substations
8. Electrical process (5)
• Distribution
– Energy being generated needs to be
distributed to reach the final users
– 115 KV is the power used to transmit in
the wire lines
– Final destination are the substations
that handles energy of a specific
amount of instalations
– Large number of blocks in a city
9. Electrical process (6)
• SCADA platform is vital to perform
the following when distribution takes
place:
– Monitoring of voltage in transmission
lines looking for high amount of
electricity flowing
– Monitoring of voltage in user meters
looking for high amount of electricity
flowing
14. SCADA Network inside Power Plant
Unit Controller
Turbine Speed
Regulator
Voltage
Regulator
Generator
Protection Controller
Cooling and oil pump
controller
HMI Console
Substation
controller
Switch
Controller
Voltage Meter
Reader
HMI Console
Protection
Controller
SUBSTATION
SCADA
GENERATION POWER
SCADA
15. SCADA Network inside Power Plant (2)
• Generation Power Plant
– Unit Controller: Controls all the
subsystems making the generator to be
able to inject active power to the
electrical network
– Voltage regulator: Controls the
frequency of the active power being
produced by the generator. Must match
the frequency in the electrical network
16. SCADA Network inside Power Plant (3)
• Generation Power Plant
– Turbine speed regulator: Controls the
speed of the turbine
– Cooling and oil pump controller:
Controls refrigeration and lubrication of
the rotor system of the turbine so
there’s no heat or friction
– Generator protection controller:
Controls excessive voltage changes in
the generator
17. SCADA Network inside Power Plant (4)
• Substation SCADA
– Substation Controller: Controls all the
systems to make possible the energy
being transmitted all across the
electrical network
– Switch controller: If there is too much
energy on a line trying to overcome its
capacity, the switch opens the circuit
and the energy stops flowing
18. SCADA Network inside Power Plant (5)
• Substation SCADA:
– Voltage meter: Meters the amount of
electricity flowing in the input and
output lines so the Substation Controller
can tell if there is a problem regarding
the transmission line capacity being
overcome its capacity
22. Modbus (2)
• Client/server protocol which operates in a
request/response mode
• Three variants:
– Modbus serial RS-232/RS-485: Implemented on
serial networks
– Modbus TCP: Used for SCADA platforms where
delay is not an issue (Water supply)
– Modbus UDP: Used for SCADA platforms where
delay is a big issue (Energy)
24. Modbus (4)
• Modbus protocol structure
– Address field:
• Request frames: Address of the device being targeted
by the request
• Response frame: Address of the device responding to
request
25. Modbus (5)
• Modbus protocol structure
– Function field
• Function requested by the HMI to be performed by the
field devices
• In response packets, when the function performed is
succeeded, the field device echoes it. If some exception
occurred, the most significant bit of the field is set to 1
26. Modbus (6)
Function Name
Function
Code
Physical Discrete Inputs Read Discrete Inputs 2
Read Coils 1
Write Single Coil 5
Write Multiple Coils 15
Physical Input Registers Read Input Register 4
Read Holding Registers 3
Write Single Register 6
Write Multiple Registers 16
Read/Write Multiple
Registers
23
Mask Write Register 22
Read FIFO Queue 24
Read File Record 20
Write File Record 21
Type of access
Data Access
Bit access Internal Bits or Physical
Coils
16-bit
access
Internal Registers or
Physical Output Registers
File Record Access
27. Modbus (7)
Function Name
Function
Code
Read Exception Status 7
Diagnostic 8
Get Com Event Counter 11
Get Com Event Log 12
Report Slave ID 17
Read Device
Identification
43
Encapsulated Interface
Transport
43
Type of access
Diagnostics
Other
28. Modbus (8)
• Modbus protocol structure
– Data field
• In request paquets, contains the information required
to perform the specific function
• In response packets, contains the information
requested by the HMI
29. Modbus (9)
• Modbus protocol structure
– Error check Field
• CRC-16 on the message frame
• If packet has errors, the field device does not process it
• Timeout is assumed, so the master sends again the
packet to attempt again a function execution
30. IEC 104
• Standard for power system monitoring,
control and communications for telecontrol
and teleprotection for electric power systems
• Completely compatible with:
– IEC 60870-5-1: Transmission frame formats for
standard 60870-5
– IEC 60870-5-5: Basic application functions
31. IEC 104 (2)
• It has the following features:
– Supports master initiated messages and
master/slave initiated messages
– Facility for time sinchronization
– Possibility of classifying data being transmitted
into 16 different groups to get the data according
to the group
– Cyclic and spontaneous data updating schemes
are provided.
35. IEC 104 (6)
• Link level
Link service
class Function Explanation
S1 SEND / NO REPLY
Transmit message.
No ACK or answer
required
S2 SEND / CONFIRM
Transmit message.
ACK required
S3 REQUEST / RESPOND
Transmit message.
ACK and answer
required
37. IEC 104 (8)
Source: Practical
Industrial Data
Communications
• Control field for unbalanced transmissions
38. IEC 104 (8)
Source: Practical
Industrial Data
Communications
• Control field for balanced transmissions
39. DNP3
• Set of communication protocols used between
components of a SCADA system
• Used for communications between RTU and
the IED (field devices)
• Implements the communication levels
established by the enhance performance
architecture (EPA)
45. Cyberterrorism Risks
• Many awful thins can happen to a
power plant
– Stop generation because of partial or
total damage to the generator
– Stop generation because of partial or
total damage to the transmission
substation
– Stop generation because of partial or
total damage to the turbine
46. Cyberterrorism Risks (2)
• Many awful thins can happen to a
power plant
– Transformer explosion because lack of
transmission line protection capacity
– Massive water leakage because of
explosion of the turbine container
• All of them can happen because of
unauthorized manipulations of the
HMI and after the configs are
updated
47. Network technologies in SCADA Systems
• Many SCADA networks still use
RS232/RS485 bus to communicate
all components
– But also because of the need to access
data in a fast way, we also have serial-to-
ip gateways to access serial RTU and IED
– Lots of hybrid SCADA networks having
serial and IP components
– Access is open to anyone with
connectivity access
48. Network technologies in SCADA Systems
(2)
• Many SCADA networks still use
RS232/RS485 bus to communicate
all components
– Admin protocols is not being crypted, so
anyone can sniff all the contents, perform
a MITM and send to client/server fake
content to each other. Insecure services
like telnet are mandatory because lack of
support
– Latency is an issue
49. Lack of authentication in application
protocol
• The SCADA protocols does not
perform bi-directional authentication
to ensure that all parties are trusted
– Only commands are sent
– Data is sent to the IP address
configured as master
– All the IP spoofing vulnerabilities works
on any MTU or Field device
– Any command can be sent
50. Default configurations in HMI
• Insecure services used
– rlogin
– rcp
– rexec
• OS Admin privileges used to operate
• Trust perimeter created within HMI
and external RTU and IED to
manipulate configuration parameters
51. What could be done?
• Reset a link state communication or
send Test Communication packet
several times provoking temporal
DoS to the IED controllers
– Spoof the HMI IP address and send the
following using TCP:
0x56405c00100020074e3
– Spoof the HMI ip address and send the
following using TCP:
0x56405f201000200b717
52. What could be done? (2)
• Send commands to the IED
controllers
– Registers are linked to turn on and off
specific devices like oil and refrigeration
pumps
– A Modbus command to change registers
is enough to disable any of those pumps
– Command depends on the place where
the pump is configured
53. What could be done? (3)
• Execute metasploit to the HMI and
try to find remote admin exploits
– No patches are installed
– Too much vulnerabilities around
– The odds of finding remote privilege
escalation vulnerabilities are too high
– Are passwords strong enough in the
HMI software and OS?
– Is there any password at all configured?
54. What could be done? (3)
• MITM attacks to the substation
elements and generation plant
elements
– TCP sequence prediction on this
elements is pretty high
– Prone to session hijacking
(http://www.youtube.com/watch?v=s_X
D8heYNrc)
56. What you cannot do with SCADA
• Protocol delay is usually a BIG issue in
SCADA
– Water supply and Oil SCADA tolerates big
delays because it does not have
consequences in the process
– Power SCADA is critical. A delay higher
than 12 miliseconds could end in a massive
blackout because of failure to open a
breaker in a substation
– Be careful on what you do to protect your
SCADA
57. SCADA Network inside Power Plant
Unit Controller
Turbine Speed
Regulator
Voltage
Regulator
Generator
Protection Controller
Cooling and oil pump
controller
HMI Console
Substation
controller
Switch
Controller
Voltage Meter
Reader
HMI Console
Protection
Controller
SUBSTATION
SCADA
GENERATION POWER
SCADA
58. Monitor your network
• Control Access from outsiders
– SCADA Network needs to send
information for reports and status
checking
– You can establish a secure way to get
into the SCADA Network for remote
support
– If no commands need to be sent, one-
way communications using waterfall
works pretty good.
60. Monitor your network (3)
• Use Network Intrusion Prevention
System
– You definitely can use conventional IPS if they
are fast enough to avoid delays in your
network
– Not all of them support SCADA protocols
– If you have snort, you can write rules for
Modbus and DNP3. Otherwise, you need to
write your own rules
– Industrial Defender Solution works pretty good
as it includes lots of SCADA signatures
61. Monitor your network (4)
• Control Access from outsiders
– Energy market central regulators are
able to control your power generation
SCADA and make you generate what
you won at the electricity market
– Be able to override control from your
local market control center if for some
reason you notice abnormal operations
that put your generation infrastructure
in risk
63. • SCADA platforms are designed to
last from 10 to 20 years
– Too many technology changes happens
in that time
– Lots of security issues to deal with
– Need a solution to avoid any changes
inside computers, as intrusions perform
changes in filesystem, configurations
and system process
Control unauthorized changes to Master
Terminal Unit
64. Control unauthorized changes to Unit
Controllers and IED controllers
• Configuration and firmware changes
can be done on-site and remotely
• Can you tell all the times where
those changes have been done for all
the IED and Unit controllers?
• Can you tell if that change actually
contains the valid firmware and/or
configuration?
• Check IndustrialDefender Manage
65. Control unauthorized changes to Master
Terminal Unit (3)
• Control any changes inside your
SCADA servers
– Mcafee Integrity control works pretty
good
– Defines what can be changed by who
– Lots of custom logs to choose from
– Can send events to any SIEM configured
in the Network
66. Monitor attacks to Master Unit
• Host IPS is definitely needed as any
attack could change the integrity and
stability of a process
• Availability is critical to a SCADA
system and cannot be altered
• Conventional Host IPS performs
extensive use of CPU and can affect
performance inside SCADA
67. Monitor attacks to Master Unit (2)
• Industrial Defender Protect works
pretty good
• Works seamless with Siemens
Spectrum Platform
• Does not load the machine or needs
extensive bandwith to perform its
checks
• Central console to perform
operations inside the platform