SCADA Cyber Security Testbed Development
C. M. Davis, J. E. Tate, H. Okhravi, C. Grier, T. J. Overbye, and D. Nicol
School of Electrical and Computer Engineering
University of Illinois Urbana-Champaign
Urbana, Illinois
Abstract- New technologies are increasing the vulnerability
of the power system to cyber security threats. Dealing with
these threats and determining vulnerabilities is an important task
for utilities. This paper presents the development of a testbed
designed to assess the vulnerabilities introduced by using public
networks for communication.
I. INTRODUCTION
The proliferation of new computer technologies in the power
system has brought many advantages and risks. Increasingly,
powerful computers are becoming prevalent not just in control
centers in offices but also in the field in the form of IEDs
(Intelligent Electronic Devices). These new devices allow for
efficient network based communications, the use of next gen-
eration Supervisory Control and Data Acquisition (SCADA)
protocols, and more intelligent behavior. Unfortunately, using
these new devices also has a down side. Using standard
networks and protocols opens the devices to possible cyber
attacks.
To address these new vulnerabilities, the TCIP (Trustworthy
Cyber Infrastructure for the Power grid) project has been
started under the ITI (Information Trust Institute). TCIP is an
NSF funded project consisting of researchers in various areas
of computer security and power systems.
Determining the vulnerabilities of systems using these
devices is a complicated process because of the complex
hardware and software interactions that must be considered.
One approach is to build a comparatively simple system that
captures the relevant complexity, i.e., a testbed. This work first
presents motivations for developing a testbed in the form of a
brief review of cyber security basics. Next, several components
developed for use in the testbed environment are discussed. In
the final section, the pieces are put together and a simulation
Of a cyber attack scenario is presented.
II. CYBER SECURITY BACKGROUND
A. Traditional SCADA Architecture
Historically electric utilities have been regulated, vertically
integrated monopolies. One company owned and controlled
everything from the generators to the distribution system.
Utilities knew their systems very well and data was shared
only on a limited basis. SCADA systems often communicated
Over dedicated communication links like phone lines and mi-
crowave radio links. The SCADA system hardware possessed
limited processing power and often utilized vendor-specific
protocols.
483
Authorized licensed use limited to: Intel Corporation via the Intel Library. Downloaded on September 26, 2009 at 23:20 from IEEE Xplore. Restrictions apply.
B. Future SCADA Architecture
...
Presen ilities are tructurediverydier
have been in the past. The transmission system allows open
an they
access, meaning that anyone owning a generator is allowed
to supply power to the grid. Markets have been set up to
decide which generators are used instead of the utility owning
generation and determining dispatch. These changes mean
the transmission system is used in a very different way. The
changes in the operation of the transmission system make it
more important to securely share data among system operators,
while ensuring that only the appropriate market insensitive
data can be accessed by marketeers. Thus, the restructuring of
the utility industry has resulted in the need for varying levels
of information access [1].
There is also a shift in the nature of SCADA systems.
The old-style vendor-specific SCADA protocols are being
replaced by next generation standards based protocols like
IEC 61850. These next generation protocols are based on a
common information models (CIM) [2]. Common information
models are used to associate devices with services. This kind
of abstraction, made possible by the improved computational
power of new SCADA hardware, allows for useful features like
device discovery. Instead of micro-controller based hardware
programmed in assembly language, present day hardware
runs more advanced real-time operating operating systems
(e.g. real-time Linux and vxWorks) [3]. Not only are the
protocols and hardware changing, but the communications
links are evolving as well. Expensive dedicated phone lines
and microwave links are being replaced by data networks [4].
C. Threats
There are many threats facing critical infrastructure today.
Currently, the most famous threats are the threats posed by
terrorist groups and hostile nation states. These are organized
groups with a clear goal and some level of sophistication.
There is also a threat posed by a company's own employ-
ees. Company insiders have access to internal controls and
data, and, either by accident or malicious intent, can cause
equipment outages. A third category of threat is the threat
posed by casual hackers, known as "script kiddies". These are
people without great computer ability who download and use
prepackaged tools.
D. Vulnerabilities
The term vulnerabilities is used to refer to equipment that is
vulnerable to attack. This notion is distinct from threats. For
example, a vulnerability would be a hole in the fence, whereas
a threat would be the person who wants to get through the
fence. Power systems face a new array of cyber vulnerabilities
as new equipment, running more standard, real-time operating
systems, is phased in. These standard operating systems are
subject to a greater number of well known attacks. The
Cyber Emergency Response Team (CERT) has been tracking
computer vulnerabilities since the late 1980s. Their statistics
show that the number of vulnerabilities has been increasing
dramatically in recent years [5].
E. Countermeasures
To address vulnerabilities present in the power system, the
North American Reliability Council (NERC), working with
the Department of Energy and the Department of Homeland
Security and their Canadian counterparts, has developed a set
ofcye seurt
standards....
[6]. These standards are a protocol
requiring companies to identify their vulnerabilities and risks
and take steps to mitigate them. This is done in several
steps. First, the impact of the loss of assets is determined.
Next, the standard calls for the identification of vulnerabilities.
Then, using this information,
. '. . ' companies
can preform risk
.................. .
analysis to decide which vulnerabilities
to protect against. Finally, companies decide which defenses
are most cost effective and begin to implement them. Common
defences against cyber attacks include application of firewalls
and authentication methods [7]. Peer-to-peer overlay routing is
another possible defence against Distributed Denial of Servce
(DDoS) attacks [8].
III. SIMULATION ARCHITECTURE
A. Network Client
1)ons Purpose.oThplemenetw
client provides several key func-
2) Capabilities: The client currently has the following key
capabilities:
. The client provides a graphical view of power system
states. The information used to drive the display is
obtained via TCP/IP from a server (see Section III-C
below for a description of the protocol used). This mimics
a control room display that is obtaining SCADA data
from the power grid over a communications network.
. The ability to control (rather than simply view) power
system elements is also a key component of real power
system operation. The client supports control actions,
such as opening and closing of lines, in addition to simple
isplay of data.
All data displayed on the client must first be communi-
cated over the network from the server to the client. This
decoupling of the display (the network client) from the
data source (the PowerWorld server) enables independent
modification
m and testing of the display, communications
networks, and power system without affecting other com-
ponents of the testing environment.
An individual client can access any number of servers,
with a highly configurable scheduling mechanism for
retrieving data. Data retrieval from the server can be
are most important aycrono ini.ta retr to oc t regular te
intervals. By setting the intervals between retrievals to
a very small value, it is easy to stress the underlying
communications system to examine bandwidth effects.
Suort for maor oeratin sstems Windows Mac OS
X, Linux)
A sample screen shot of the network client displaying retrieved
data for a 7 bus system is shown in Figure 1.
B. PowerWorld Server
1) Purpose: The PowerWorld server serves two purposes

tions needed to implement an accurate testbed

testbed thatclosely
that closely
an accurate
which, when combined, allow it to serve as a surrogate for the
ra oe rdwe efrigeprmns
mimics real world operation of the power grid.
. The server simulates the power grid with a feature-rich
power flow solver. This allows us to simulate systems
01.81 mw F-Tfl with a high degree of modeling accuracy by taking

_6-09 d >0_99 deg

1.46 deg.
1.00 pu.

Q01 MW
i_ 4 Bus 5
-0c& deg. C-'.-

1i01 p_u.

Bu!3~/ Bus~
Bu5~~~~~~~~~~~~~ 4'~~~~~~~~~~~~..
E3u57
7 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~.vq ~~~~~A..CBF' ;r

6 231 deg. RO JIdCn-eg.

2DO.)4 kW/ 200 64 hAN_A

Fig. 1. Network client screenshot - opening a line in a 7 bus case Fig. 2. PowerWorld server screenshot -serving data for a 7 bus case

484

Authorized licensed use limited to: Intel Corporation via the Intel Library. Downloaded on September 26, 2009 at 23:20 from IEEE Xplore. Restrictions apply.
 advantage of the advanced modeling facilities built into
the PowerWorld Simulator [9] software.
The server provides the SCADA data that would typically
be fed into a control center display (represented by the
client). The server provides the simulated data to the
client over a TCP/IP network using a custom networking
protocol (see Section III-C below).
2) Controls. The server also accepts control commands
sent by clients, e.g., the opening and closing of lines. The
server continuously solves the power flow, so network flow
impacts are instantly solved and propagated to all connected
clients. The ability to accept control commands from the client
allows us to study the effects of various network attacks on
control actions.
3) Data Provided: The server currently provides the fol-
lowing data to clients:
* Bus voltage magnitude and phase angle
* Line status
* Line flow
* Generator status
A sample screen shot of the PowerWorld server providing
client data on the 7 bus case is shown in Figure 2.
C. Client-Server Protocol
The protocol used for communicating between the client
and server is a simple request/response protocol which uses
the TCP/IP networking protocols. All network communication
is initiated by the client, which can either send or receive an
arbitrary amount of data in a single session.
1) Purpose: The Real-time Immersive Network Simulation
Environment for Network Security Exercises (RINSE) is a tool
for realistic emulation of large networks as well as network
transactions, attacks, and defenses [10].
RINSE has unique capabilities which make it suitable for
cyber security and game-playing exercises including large-
scale real-time human/machine-in-the-loop network simulation
support, multi-resolution network traffic models, and novel
routing simulation techniques.
RINSE consists of five components:
* the iSSFNet network simulator,
* the Simulator Database Manager,
* a database,
* the Data Server,
* and client-side Network Viewers
The internal architecture of RINSE is shown in Figure 3.
The iSSFNet is the core network simulator which is built
on top of the Scalable Simulation Framework (iSSF), an
Application Programming Interface (API) for parallel large-
scale simulation [11]. In this architecture, the Simulation
Database Manager is responsible for collecting simulation data
from simulator nodes and putting it into the database. In
the RINSE architecture, many simulator nodes can work in
parallel to support large-scale real-time network simulation.
485
Authorized licensed use limited to: Intel Corporation via the Intel Library. Downloaded on September 26, 2009 at 23:20 from IEEE Xplore. Restrictions apply.
- Viewer iSSFNet Network Simulator
database Emam
S U ,,,
Internet -=:
DataSeret Simulator
Manager
1RNSELbackup instance
Fig. 3. RINSE Architecture
Clients run Network Viewer which connects to the database
through the Data Server and gives each client a separate
view of the simulated network. This view the portion of
is
the simulated network the client is interested in and is able
to interact with. This feature can be used in exercises like
the October 2003 Livewire cyber war exercise which was
conducted by the Department of Homeland Security [12].
2) Capabilities: In addition to parallel real-time large-
scale simulation, RINSE is capable of multi-resolution traffic
simulation, meaning it can simulate traffic with varying levels
of detail. This makes it suitable for simulating high-volume
traffic and attacks. When traffic is presented and simulated
in a multi-resolution fashion, traffic with important dynamic
behavior (foreground traffic) is simulated with high-resolution
packet-level details whereas traffic showing other activities in
the network (background traffic) is simulated using a coarse-
grained fluid model [13] [14] . RINSE uses both resolutions
for different traffic at the same time [15], coupled with a
fixed point solution technique, resulting in several orders of
magnitude speed-up in simulation [16] [17]. For attack traffic
(e.g., Denial of Service (DoS) attacks) the details of the traffic
are of little importance and we are only interested in the
coarse behavior (volume of the traffic). Therefore, a coarser,
multi-resolution model is used to increase the efficiency of
simulation and to make real-time simulation possible [18].
Another important feature of the RINSE architecture is
the Network Viewer which gives clients the ability to have
different views of the simulated network and also to issue com-
mands to the simulator (Figure 4). Five types of commands
are currently supported:
. Attacks: for initiating attacks (particularly DDoS attacks)
in the network.
. Defenses: for applying countermeasures against attacks.
These commands include filtering packets at routers
which can mitigate attack effects.
. Diagnostic Tools: which simulate common networking
utilities such as ping.
. Device Controls: for controlling individual devices in the
network.
. Simulator Data: for controlling the output of the simula-
tor.
RINSE is also capable of emulation, i.e., it can represent
 RINSE +VPN Server
Network Cliert

PowerWorld Server
Prox + VPN Ci ent

FigQ.~4. Ntwor viwe scrensho Fig85.ClentSeverRISE ntgraio Scem

40021:2~~~1
NOA M2111 4~~IN(~01 ICs !TABLE
relnoe wItviua nodesin, the siulte netor adCAAERICSTAPIN
generate real packets~~~~~ for,0,,8trnscton ithl the oTsFide world.
Emlaio is th key fetr of RINS tHaTTP has) benueHMduTeic oeWrlevc
inthe1 inegato of RINEitthteteEuainasBrnhRU oe/letasmsonie
needs som exr copoetswic redscsedi dtilGeeatrRT ea enrtontrato
beo .1 A 5;0- " 6

F,Protocol Converter~~~~~~~~~~~~~~~~~~~~~~~[C 23TC)

The protocol converter is a program designed to convert the in which there are virtual nodes representingPowerWorld~~~~~~~..........
the
cusomPoerord roocl7nt ralSCDAIrooclscTisseve ad henewok ciet().Upn rrva o teIacet
allows, the netor client2to, interfac with actua hadwre)t,te irua nderereeninte owrWrlNsrvr,th
Thepotoco conerteralso rovies a eansof teting imultor gnerats.rel.pacets.ith vrtualIP.adresss.an
protocols by grabbing~~~~~~~ th evrsotu adfradn tdeieste ote enl hs2akesaesn hog
acros a (pssbl sImuae)ntokFnte P unltotepoysre.Fnly h rx
On .ucto. ha.ut.eprfre.y.h.rooo.sre.tasatstevita.ades.n.enste.akt
converte is mapn bewe1h ipePwrol evrt h oerol evr h aepoeshpesih

SCADA protocol~~~~~~F_, [19. Aetfree opeen-souree Mdbssmlehadth networ5Client(S)epaserISE IthgroughnRIScemakngi

real nodes withvirtual nodes i thsetupulisethatwtheanetwork SERImulto (RPINSEG scmltl

FgInertegreatio fckesilaortasatrnsprenntothePowrWoldhervruadsteintwokwcien(s)
Emltheschem that isy faused for ineRaIoNS ofthathsbe sdMdueie PowerWorldSevc
servere ithegnetworkcletsf RINSE inoteestbd
n showntionFigur IVanc ATTACKoSen/coetaRsisionle
5nThis architectureasfumajorent whcomponenticus:d A.ScenarioeDesriptionT edgnraonomto

E. Neotworkl Clivent(serodpce obcm velae.A h aetm

Th prINSEoaondvterVNt erer issueormdeindtonettei whcommereands Undrta normal ciprcusetances thePoperatorl
proortls (hin nrceth trasmssonk
PusowerWorlwerverl viatocaprtox srverl onCADseife te systemntos reliev theroverloadIne thikes
snervaerwtheatranlhatesre theae
thioscase, petortk00) Thien prox t however, thde netwrkseattakianbine opeWrlevea,tors
the
destnaton fthse ackts t th vitualIP ddrss o th frmulknowlegeneaeofeth problems andh vremovedPthdeseirailt tod
proowerorldb serverbing the simulaed' network Theporackets are respond. them stuation detneriorThese pascprtsaetiont
equipmen
thens deliveredlthroughate)ntoknte RISpoer h velaeieoutyo servier. Aicascadinge poutag
VPN tunnel to fre
the
daemouncgrabs theacketstfro therINSEmend ofthe VPNoco hserbegu thasatewill vresualt adblackou for thendload pocket.

tunland injesCtsA
thminodtels sModulao usin eomunlato
th PoferWbudsesr1,e2
Forit this scenari, the loadfi pokeenthcnsst

capaIltgaity ofRISE.uatrIsE thnsiuatsalaguntor pn3swhihcanbhe seenoin Figultre 6.IThE)

inresin dopemand
486 prn otePweWrdsre n hentokcin()

Authorized licensed use limited to: Intel Corporation via the Intel Library. Downloaded on September 26, 2009 at 23:20 from IEEE Xplore. Restrictions apply.

2 /0Atc
= 80
6M Th90 , 0/7MWc6
69 MW
15 Mvar 3
0 Mvar
S
200 MW4\
Fig. 6. Scenario one-line diagram 90 MW bus 1 load
89MW
16 Mvar
1
3
175 Mvar
200 MW
141 Mvar
Fig. 7. Scenario one-line diagram 110 MW bus 1 load
is modeled by step changes of the load at bus 2. The load at
bus 2 starts at 90 MW. At this load level, the transmission
line from bus 4 to bus 1 is loaded at 70.5% of capacity. The
next load level is 110 MW. The corresponding line loading
is 89.4%. The final load level is 125 MW. At this load level
the transmission line is overloaded, operating at 103.5% of
capacity. Images of the system under each loading level can
be seen in figures 6, 7, and 8.
B. Attack Description
To study the effect of cyber attacks on the simulated power
system, we have used the architecture shown in Figure 5. A
relatively large network with hundreds of hosts and routers
and many subnets is used for simulation with two of the
hosts representing the PowerWorld server and the network
client. The network client represents the operator station in
the control room.
Three different scenarios have been simulated to study
the effects of attack and defense. In the first scenario, the
network runs under normal conditions with some server/client
transactions and background traffic present. The goal of this
scenario is to study the interaction of the PowerWorld server
and client under normal operating conditions of the network.
In the second scenario, after a period of normal operation, a
-I
2 display old data showing that the system is operating safely
105MW ~~ 1205 17°5MMWr
Fig. 8. Scenario one-line diagram 125 MW bus 1 load
Authorized licensed use limited to: Intel Corporation via the Intel Library. Downloaded on September 26, 2009 at 23:20 from IEEE Xplore. Restrictions apply.
Packet Drop Percentage
100/
starts /
70 -
ZX \ Filtering
5
\|fgXf O Mvar y a.> 60 )/ i
\starts
g~- 40-
r )30
20-
o0 - :
Time (s)
- - No Attack -Attack w/o Filter - -Attack with Filter
Fig. 9. Packet drop percentage in simulated network for a lOOs run
DDoS attack starts in the network by issuing a command to
RINSE.
Upon reception of the command, the attacker sends attack
signals to zombie hosts in the network and they start emitting
packets to the victim server at the rate of 700 Kbits/s. The
attack starts after 30 seconds of simulation and lasts for 100
seconds. With this scenario we study the effect of attack on the
power system that uses a public network as its communication
medium.
The third scenario complements the second one by applying
countermeasures in the network to mitigate the negative effects
of the attack on the power grid. A defensive filter is enabled
which drops all packets from the zombie hosts.
C Results
The three scenarios described above were run and the effects
of a DDoS attack on the power system were studied. To
get an estimate of the responsiveness of the network under
normal condition, attack, and attack with filters, packet drop
percentage between the PowerWorld server and its client were
measured using "ping" and is shown in Figure 9.
When there is not an attack occurring, the operator at the
network client sees data that is refreshed at the proper rate
and has the ability to open and close lines. If an attack is
in progress the SCADA data and commands are prevented
from getting to and from the network client. The DDoS attack
floods the network with packets, causing the real data to be
delayed or lost. This is evident in the divergence of the one-line
views between the network client and the PowerWorld server.
When an attack is under way, the network client continues to
even though a transmission line is overloaded (i.e., the operator
14Mvar
otne to see Figure 6instead of Figure 7or Figure
application of a filter iS one defense against a DDoS attack.
The 8),.
Applying a filter during an attack successfully mitigated the
attack and allowed SCADA data to transit the network as
illustrated in Figure 9.
487
 V. CONCLUSION
The experiment presented in this paper uses the network
client to act as a control station, the PowerWorld server to act
as the power system, and RINSE to act as the communication
network. This experiment demonstrated the vulnerability of the
network client to a DDoS attack and the ability of filtering to
mitigate an attack. The attack prevented data from being trans-
mitted across the network, causing the control display to dis-
play incorrect data. So far this work presents a testbed created
using only software. The next step is to more accurately model
the SCADA system by incorporating actual hardware (RTUs,
relays, etc.) in the simulations. Using the protocol converter
it is possible already to interface with devices communicating
using the ModbusTCP protocol. Work is ongoing to implement
using the ModbusTCP Work Is ongoing to implement
next generation protocols and to extend the functionality of the
network client and PowerWorld server (e.g., provide more data
and more control commands). In its final form, the testbed will
consist of computer simulations, hardware, and people acting
as controllers.
ACKNOWLEDGMENT
The authors would like to thank the NSF for their support
under award number CNS-0524695.
REFERENCES
[1] G. Zecevic and Z. Jovanovic, "Company intranet access to scada
information," in Proc. Budapest International Conference on Electric
Power Engineering, New York City, USA, Aug. 1999, p. 121.
[2] G.-S. Kim and H.-H. Lee, "A study on iec 61850 base communication
for intellegent electronic devices," in Proc. IEEE 9th Russian-Korean
International Symposium on Science and Technology, vol. 1, Novosi-
birsk,Russia, Jun.-Jul. 2005, pp. 765-770.
[3] C. Bowen, T. Buennemeyer, and R. Thomas, "Next generation scada
security: Best practices and client puzzles," in Proc. IEEE Workshop
on Information Assurance and Security, vol. 1, United States Military
Academy, West Point, NY, 2005, pp. 426-427.
488
Authorized licensed use limited to: Intel Corporation via the Intel Library. Downloaded on September 26, 2009 at 23:20 from IEEE Xplore. Restrictions apply.
[4] R. McClanahan, "IEEE industry applications magizine," Mar.-Apr. 2003.
[5] C. E. R. Team. (2006) Cert/cc statistics 1988-2006. [Online]. Available:
http://www.cert.org/stats
[6] N. A. E. R. Council. (2006) Critical infrastructure protection. [Online].
Available: http://www.nerc.com/cip.html
[7] J. Pollet, "Developing a solid scada security strategy," in Proc. Sensors
for Industry Conference, Houston, TX, USA, 2002, pp. 148-156.
[8] J. J. Farris and D. M. Nicol, "Evaluation of secure peer-to-peer overlay
routing for survivable scada systems," in Proceedings of the 2004 Winter
Simulation Conference, Washington D.C.,USA, Dec. 2004.
[9] PowerWorld Corporation. [Online]. Available: http://www.powerworld.
com
[10] M. Liljenstam, J. Liu, D. Nicol, Y Yuan,, G. Yan, and C. Grier, "Rinse:
the real-time immersive network simulation environment for network
security exercises," in In Workshop on Principles of Advanced and
Distributed Simulation, 2005.
[11] J. Cowie, D. Nicol, and A. Ogielski, "Modeling the global internet,"
Computing in Science and Engineering, vol. 1, pp. 42-50, Jan. 1999.
[12] A. Press. (2003, Nov.) T. bridis. gov't simulates terrorist cyberattack.
[Online]. Available: http://www.zone-h.org/en/news/-read/id=3728
[13] B. Liu, D. R. Figueiredo, Y Guo, J. Kurose, and D. Towsley, "A
study of networks simulation efficiency: Fluid simulation vs. packet-
level simulation," in In Proceedings of IEEE Infocom, Apr. 2001.
[14] G. Kesidis, A. Singh, D. Cheung, and W. Kwok, "Feasibility of
fluid-driven simulation for atm network," in In Proceedings of IEEE
Globecom, Nov. 1996.
[15] D. Nicol and G. Yan, "Discrete event fluid modeling of background
tcp traffic," ACM Transactions on Modeling and Computer Simulation,
vol. 14, pp. 1-39, July 2004.
[16] D. Nicol, J. Liu, M. Liljenstam, and G. Yan, "Simulation of large-scale
networks using ssf," in In Winter Simulation Conference (WSC), Dec.
2003.
[17] D. Nicol and G. Yan, "Simulation of network traffic at coarse time-
scales," in In Workshop on Principles of Advanced and Distributed
Simulation, 2005.
[18] , "Discrete event fluid modeling of background tcp traffic," in Proc.
ACM Workshop on Rapid Malcode, Oct. 2003.
[19] Modbus-IDA. (2005) Modbus-ida:the architecture for distributed
automation. [Online]. Available: http://www.modbus.org
[20] D. Wimberger. (2004) jamod. [Online]. Available: http://jamod.
sourceforge.net