[101] reports an heterogeneous modeling environment to demonstrate the vulnerability of the network client to a DDOS attack and the ability of filtering to mitigate an attack. The aim is to assess the vulnerabilities introduced by using public networks for communication. A network client acts s a control station, a PowerWorld server acts as a power system, and RINSE tool acts as a communication network. The attack prevented data from being transmitted across the network, causing the control display to display incorrect data.
Particularly, the main components of the environment are:
− Network client. It provides several key functions needed to implement an accurate test bed that closely mimics real world operation of the power grid. The network client (figure 7.15) provides a graphical view of power system states. The information used to drive the display is obtained via TCP/IP from a server. This mimics a SCADA HMI that is obtaining data from the field bus over a communication network.
− PowerWorld server. It is twofold:
o simulates the power grid with a feature-rich power flow solver This allows to simulate systems with a high degree of modelling accuracy by taking advantage of the advanced modeling facilities built into the PowerWorld Simulator software.
o provides the SCADA data that would typically be fed into a control center display (represented by the client). The server provides the simulated data to the client over a TCP/IP network using a custom networking protocol.
Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx
Final version Page 111 on 153
− RINSE (Real-time Immersive Network Simulation Environment for Network Security Exercises) tool. RINSE is a tool for realistic emulation of large networks as well as network transactions, attacks, and defenses [102]. RINSE has unique capabilities which make it suitable for cyber security and game-playing exercises including large scale real-time human/machine-in-the-loop network simulation support, multi- resolution network traffic models, and novel routing simulation techniques.
Figure 7-15Network client screenshot - opening a line in a 7 bus case [101]
Five types of commands are currently supported by RINSE:
− Attacks: for initiating attacks (particularly DDoS attacks) in the network.
− Defenses: for applying countermeasures against attacks. These commands
include filtering packets at routers which can mitigate attack effects.
− Diagnostic Tools: which simulate common networking utilities such as ping. − Device Controls: for controlling (shutting down, rebooting) individual devices in
Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx
Final version Page 112 on 153
− Simulator Data: for controlling the output of the simulator.
The scheme that is used for integration of the PowerWorld simulator with RINSE is shown in Figure 7.16.
Figure 7-16 Client-Server-RINSE Integration scheme [101]
The network client sends packets to the PowerWorld server via a proxy server on a specified port. The proxy server then translates the destination of these packets to the virtual IP address of the PowerWorld server in the simulated network through a VPN tunnel. The network simulation then is performed and the same process happens in the reverse direction when the PowerWorld Server responds to the Network Client requests through the Proxy server through another VPN tunnel.
In [101], the authors performed a DoS attack considering the fact that increasing load levels cause the transmission system serving a load pocket to become overloaded. At the same time a network attack hinders the operator’s ability to receive data and issue commands. Three different scenarios have been simulated to study the effect of attack and defense. In the first scenario, the network runs under normal conditions with some transactions and background traffic present. The goal of this scenario is to study the interaction of the PowerWorld server and client under normal operating conditions of the network.
In the second scenario after a while of operating normally, a DDoS attack starts in the network. The server here is an arbitrary server in the simulated network and upon reception of the command, the attacker sends attack signals to zombie hosts in the network and they start emitting packets to the victim server at the rate of 700 Kbits/s. The attack starts after 30 seconds of simulation and lasts for 100 seconds. With this scenario we study the effect of attack on the power system that uses a public network as its communication medium.
The third scenario complements the second one by applying countermeasures in the network to mitigate the negative effects of the attack on the power grid. The intermediate
Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx
Final version Page 113 on 153
router connecting the zombies network to the server network act as a filter by dropping packets coming in on all interfaces, using all protocols, from all source IP addresses and all source ports to all destination IP addresses and destination port (33333) on which the vulnerable service works. This command is issued after 60 seconds of simulation and may be described by the following pseudo-code: filter router add 0 deny all all * all * 33333. To evaluate the attacks, an analysis of the packet drop percentage was performed in the three cases. When there is not attack occurring, the operator accessing to the network client is able to see data that is refreshed at the proper rate and have the ability to open and close lines.
If an attack is in progress the SCADA data and commands are prevented from getting to and from the network client. The DDoS attack floods the network with packets, causing the real data to be delayed or lost. This is evident in the divergence of the one-line views between the network client and the PowerWorld server. When an attack is under way, the network client continues to display old data showing that the system is operating safely even though a transmission line is overloaded. The application of a filter is one defense against a DDOS attack. Applying a filter after an attack has begun successfully mitigated the attack and allowed SCADA data to transit the network.