Trust matters


Protecting a power grid presents a different kind of challenge from protecting the computing network of a company or university. NCASSR-supported researchers at Pacific Northwest National Laboratory have come up with a solution.

by Kathleen Ricker
NCASSR Research Editor

Most of the basic systems that make up our national infrastructure--electric power grids, gas networks, municipal water and sanitation systems, to name a few--make use of Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems consist of a network of remote, geographically distributed terminals or substations controlled and monitored by a centralized server that can be manually operated. Communication between the controller and the remote terminals relies on a variety of different channels, including microwave, radio, telephone, and Ethernet, and as a result, systems are often vulnerable to attack.

"Control systems are interesting beasts," says Mark Hadley, a research scientist at Pacific Northwest National Laboratory in Richland, WA. "The techniques that we use to protect our IT infrastructure do not necessarily apply to control systems." He points out that much of the hardware used to monitor and control critical infrastructure is between 30 and 35 years old, that communication rates of 1200 bauds are still very common, and that the control and acquisition software is often embedded in the hardware itself. Consequently, securing these environments, says Hadley, requires an approach that is somewhat different from that used for cyberinfrastructure.

SCADA systems are extremely vulnerable in other ways. Data is sent in clear text format, which an attacker can easily intercept and read--and typically, the commands that are sent are very predictable and rigidly scheduled. And because there may be hundreds of miles between the control center and the substation terminals, there may be plenty of points at which an intruder could tap the communications infrastructure on which the system relies.

Making implicit trust explicit

However, one of the biggest vulnerabilities, says Hadley, is the lack of authentication in a system that relies on implicit trust between two communicating devices. Because messages sent from one device to another in a SCADA system rely on implicit trust, the system can't distinguish between legitimate messages and messages injected into the communications stream by an intruder.

When implicit trust exists between two devices, each device assumes it knows the identity of the other and, on the basis of that assumption, accepts messages and executes commands that have apparently been sent by the other. However, this means that if a third party inserts messages into the communication stream, it's assumed that the messages come from the other, trusted device.

Hadley and other researchers at PNNL received support from the National Center for Advanced Secure Systems Research at NCSA to find a way to protect the communications infrastructures of SCADA systems from intrusion without encrypting the data, which could potentially compromise its integrity. Their solution: to provide authentication and validation for messages sent between devices in the system. Their NCASSR-supported efforts culminated in a successful test in the fall of 2006 of the SCADA authentication technology at CenterPoint Energy, which supplies a 5,000-square-mile area around Houston, Texas with electric power and natural gas. For six weeks, the real-time demonstration successfully protected a control center and three remote substations, with no interruptions, and, almost as importantly, without requiring modifications to the SCADA system or its databases.

The secure SCADA protocol developed by the PNNL team preserves the clear text protocol of the original message by putting it into a "wrapper" or "envelope" consisting of a second protocol generated by a hashed message authentication code (HMAC) algorithm. Hashed message authentication is more random than most encryption techniques and therefore harder to break. Each envelope is "sealed" with a unique identifier which must be authenticated by the receiving device and its message validated. If anything happens to the message while in transit, the identifier is altered, and the receiver will neither recognize nor act upon it. Meanwhile, messages originating from an intruder are also ignored and discarded.

Implementing the secure SCADA authentication protocol for a given system is in itself a challenge. Many legacy systems with embedded technology, such as the CenterPoint system, require some kind of external retrofit. However, the PNNL team stressed the need to keep this kind of solution lightweight, because plugging in too many external devices can introduce new points of disruption. The solution for CenterPoint was to develop a microcontroller dongle that would attach to the modem. "We wanted to make sure that we would fit into their environment without modification," says Hadley, "and we were able to successfully do that."

Making research a reality

The response from CenterPoint has been extremely positive. “The PNNL methodology offers us the flexibility and performance in securing SCADA communication that we were looking for,” says Tom Flowers, who oversees the Control Systems Division at CenterPoint. However, CenterPoint isn't alone. According to Hadley, several vendors in the energy industry are also very interested in the technology, as well as the Department of Energy and the International Standards Body, which wants to incorporate PNNL's approach into existing SCADA protocols.

Currently in its fourth year, NCASSR explores and develops new approaches and technologies with the ultimate goal of applying, implementing and integrating them into existing or planned government and/or Department of Defense systems. "SCADA is one of the nation's most important infrastructures," says Randy Butler, NCASSR Project Director. "PNNL has a critical set of skills and experiences in the area of SCADA, so the fact that, with a little extra money, NCASSR could help them turn that into something that actually gets fielded is a big win for everybody."

At first glance, it may seem that the requirements for securing physical infrastructure differ substantially from those of providing a secure environment for investigating attacks on large systems--another major project on which NCASSR has recently embarked. However, the fundamental problem--the need for authentication--is very much the same, says Butler. He points out that, as a public key infrastructure authentication technology, the secure SCADA protocol is very much in line with the kind of authentication technologies whose research and development NCASSR has supported throughout its history. "Using authentication of any kind is fairly novel in the SCADA community," he says. "NCASSR's approach is to support both research-type activities and applied technologies, and it's exciting to see one of our applied technologies attracting so much interest."

Team members
Jeff Dagle
Ross Guttromson
Craig Goranson
Mark Hadley
Joe Huffman

+ click to enlarge



In the energy and manufacturing sectors, communication between remote plants or substations and central control stations is handled by supervisory control and data acquisition (SCADA) systems. Protecting aging equipment and embedded software from attack in a way that does not hamper operations by modifying the system or encrypting the data is a major challenge.





The NCASSR PNNL team's solution: provide trust through authentication--by enclosing each message sent in an "envelope" whose "seal" can only be opened by a trusted recipient.


Return to Feature Story list


The National Center for Advanced Secure Systems Research NCASSR) at the University of Illinois at Urbana-Champaign (UIUC) is a multi-institutional cybersecurity research team. NCASSR focuses basic and applied research necessary to develop next generation information security technologies that address national cybersecurity needs. NCASSR is led by the National Center for Supercomputing Applications (NCSA) and supported by funding from the Office of Naval Research (ONR).


SELS 0.7 released
Secure Email List Services (SELS) is an open source software for creating and developing secure email list services among user communities.
 
Strong community engagement strengthens cybersecurity research and development
NCASSR-supported exploratory research at NCSA and elsewhere has sparked additional external funding and development opportunities as well as successful deployment and adoption by users ranging from the defense sector to state law enforcement to the utilities industry.
 
NCASSR Collaborator Goes To Washington
Carl Gunter, a professor in the University of Illinois Department of Computer Science and a project lead on NCASSR-supported work involving adaptive, secure messaging, recently spoke to an audience of congressional staffers and lobbyists on Capitol Hill regarding ways to address a variety of critical cybersecurity issues in areas such as healthcare and energy distribution.