SCADA Cyber Security Testbed Development C. M. Davis, J. E. Tate, H. Okhravi, C. Grier, T. J. Overbye, and D. Nicol School of Electrical and Computer Engineering University of Illinois Urbana-Champaign Urbana, Illinois Abstract— New technologies are increasing the vulnerability of the power system to cyber security threats. Dealing with these threats and determining vulnerabilities is an important task for utilities. This paper presents the development of a testbed designed to assess the vulnerabilities introduced by using public networks for communication. I. I NTRODUCTION The proliferation of new computer technologies in the power system has brought many advantages and risks. Increasingly powerful computers are becoming prevalent not just in control centers in offices but also in the field in the form of IEDs (In- telligent Electronic Devices). They allow for efficient network based communications, the use of next generation SCADA protocols, and more intelligent behavior. Unfortunately, using these new devices also has a down side. Using standard networks and protocols opens the devices to possible cyber attacks. To address these new vulnerabilities, the TCIP (Trustworthy Cyber Infrastructure for the Power grid) project has been started under the ITI (Information Trust Institute). TCIP is an NSF funded project consisting of researchers in various areas of computer security and power systems. Determining the vulnerabilities of systems using these devices is a complicated process because of the complex hardware and software interactions that must be considered. One approach is to build a comparatively simple system that captures the relevant complexity i.e. a testbed. This work first presents motivations for developing a testbed in the form of a brief review of cyber security basics. Next, several components developed for use in the testbed environment are discussed, and finally the pieces are put together and a simulation of a cyber attack scenario is presented. II. CYBER SECURITY BACKGROUND A. Traditional SCADA Architecture Historically electric utilities have been regulated, vertically integrated monopolies. One company owned and controlled everything from the generators to the distribution system. Utilities knew their systems very well and data was shared only on a limited basis. SCADA systems often communicated over dedicated communication links like phone lines and mi- crowave radio links. The SCADA system hardware possessed limited processing power and often utilized vendor-specific protocols. B. Future SCADA Architecture Presently utilities are structured very differently than they have been in the past. The transmission system allows open access, meaning that anyone owning a generator is allowed to supply power to the grid. Markets have been set up to decide which generators are used instead of the utility owning generation and determining dispatch. These changes mean the transmission system is used in a very different way. The changes in the operation of the transmission system make it more important to securely share data among system operators, while ensuring that only the appropriate market insensitive data can be accessed by marketeers. Thus, the restructuring of the utility industry has resulted in the need for varying levels of information access [1]. There is also a shift in the nature of SCADA systems. The old-style vendor-specific SCADA protocols are being replaced by next generation standards based protocols like IEC 61850. These next generation protocols are based on a common information models (CIM) [2]. Common information models are used to associate devices with services. This kind of abstraction makes useful features like device discovery possible. Making this sort of abstraction possible is the vastly improved computational power of new SCADA hardware. Instead of micro-controller based hardware programmed in assembly, present day hardware runs more advanced real- time operating operating systems(e.g. real-time linux and vxWorks). Not only are the protocols and hardware changing, but the communications links are evolving as well. Expensive dedicated phone lines and microwave links are being replaced by data networks. C. Threats There are many threats facing critical infrastructure today. The most famous threats in this day and age are the threats posed by terroristic groups and hostile nation states. These are organized groups with a clear goal and some level of sophistication. There is also a threat posed by a company’s own employees. Company insiders have access to internal controls and data, and either by accident or malicious intent can cause equipment outages. A third category of threat is the threat posed by casual hackers, known as ”script kiddies”. These are people without great computer ability who download and use prepackaged tools.