IMPLEMENTING AND TESTING A CUSTOM IDS FOR SUBSTATION AND PROCESS CONTROL SYSTEMS

Real-time control systems play a crucial role in ensuring the safety, reliability, accuracy, and timeliness of the operation of America's vital infrastructures. The recent rapid development of Supervisory Control and Data Acquisition (SCADA) systems has brought many benefits, including increased productivity and reduced costs, as it facilitates the transfer of control data through public networks and airwaves. However, this ease of use has also created new security vulnerabilities in systems that were once considered secure.

Transmitting critical control and monitoring data over public communication systems has opened up our critical infrastructures to potential electronic attacks from a global pool of cyber criminals. As SCADA systems continue to remain vulnerable to these types of attacks, it is likely that adversaries will seek to exploit these weaknesses. This highlights the need for continued efforts to strengthen the security of these critical systems and protect them from potential threats.

By significantly enhancing the logging of critical network events using cutting-edge techniques, our system has achieved a dramatic improvement in both security and auditing capabilities. We can now detect and alert of potential unauthorized access attempts and changes made to device configurations, which not only bolsters the security of these critical networks but also facilitates a faster recovery from common errors by engineers.

Power system control was once a tedious and time-consuming task. Before the advent of digital control equipment and communication networks in the design of power systems, engineers had to physically visit each substation to inspect system conditions and make necessary adjustments. Thanks to advancements in networking and the integration of digital devices, engineers can now monitor and control their systems from a central location, potentially managing multiple substations from a single terminal. More recent advancements have even made it possible for power engineers to control their systems remotely via the Internet, telephone systems, and wireless networks.

In the past, when control systems were standalone, devices had to adhere to strict regulations regarding operating temperature, random electrical disturbances, and other environmental factors. The operating environment has since evolved, and engineers must now also consider electronic attacks as a potential source of disturbance.

Process control systems are characterized by their diverse and heterogeneous nature. For instance, a power substation may comprise devices from a variety of manufacturers, using different types of communication systems such as serial, proprietary protocols on proprietary cabling, Ethernet, or tunneling protocols over Ethernet. Additionally, the age of the devices can range from brand new to 20 years old.

Process control systems are designed to operate in high-pressure, time-sensitive environments, with devices that are specialized in executing specific tasks efficiently. Thus, most equipment lacks the memory, processing power, and bandwidth required to perform the security functions of a modern personal computer (PC). While a PC can establish a secure connection with a server using secure socket layer (SSL) or secure shell (SSH) connections, process control devices do not possess the required computational capability and bandwidth to provide similar security. Real-time control systems also have several other limitations, including:

The security of process control systems has long been a concern due to their inherent weakness in terms of authentication mechanisms and access control. The complex and heterogeneous nature of these systems, combined with the lack of monitoring and auditing, have resulted in a significant challenge in securing these systems from potential cyber threats.

These weaknesses are particularly pronounced in remotely accessible power substations, which are vulnerable to cyber attacks through public communication systems. The current setup of process control systems, which are designed for simple tasks and do not have the capacity to perform security functions, makes them susceptible to cyber attacks.

In this regard, our research has identified the common security weaknesses in automated process control systems, focusing on remotely accessible power substations. We have created a model SCADA/sensor testbed for Intrusion Detection System (IDS) experimentation, incorporating contemporary IDS auditing tools and methods such as network monitoring, signature profiling, revision control, and automated backups.

Our aim is not to review the extensive body of IDS literature, but to focus on the practical application of an IDS in a model SCADA system. Our findings demonstrate that many of the security weaknesses in process control systems can be remedied using existing technology, at a significantly lower cost than building new control systems with embedded security features.

In conclusion, securing process control systems, particularly remotely accessible power substations, is crucial for ensuring the long-term reliability of our critical infrastructure and other process control systems. The use of contemporary IDS auditing tools and methods can help to mitigate the security risks in these systems.