research-article

A Case Study in Power Substation Network Dynamics

Authors:

Raheem BeyahAuthors Info & Claims

Proceedings of the ACM on Measurement and Analysis of Computing Systems, Volume 1, Issue 1

Article No.: 19, Pages 1 - 24

https://doi.org/10.1145/3084456

Published: 13 June 2017 Publication History

Abstract

The modern world is becoming increasingly dependent on computing and communication technology to function, but unfortunately its application and impact on areas such as critical infrastructure and industrial control system (ICS) networks remains to be thoroughly studied. Significant research has been conducted to address the myriad security concerns in these areas, but they are virtually all based on artificial testbeds or simulations designed on assumptions about their behavior either from knowledge of traditional IT networking or from basic principles of ICS operation. In this work, we provide the most detailed characterization of an example ICS to date in order to determine if these common assumptions hold true. A live power distribution substation is observed over the course of two and a half years to measure its behavior and evolution over time. Then, a horizontal study is conducted that compared this behavior with three other substations from the same company. Although most predictions were found to be correct, some unexpected behavior was observed that highlights the fundamental differences between ICS and IT networks including round trip times dominated by processing speed as opposed to network delay, several well known TCP features being largely irrelevant, and surprisingly large jitter from devices running real-time operating systems. The impact of these observations is discussed in terms of generality to other embedded networks, network security applications, and the suitability of the TCP protocol for this environment.

References

[1]

Nmap - free security scanner for network exploration & security audits. http://nmap.org/. Accessed 2015--11--23.

[2]

Ieee standard for electric power systems communications -- distributed network protocol (dnp3). IEEE Std 1815--2010, pages 1--775, July 2010.

[3]

R. Barbosa, R. Sadre, and A. Pras. A first look into scada network traffic. In Network Operations and Management Symposium (NOMS), 2012 IEEE, pages 518--521, April 2012.

[4]

A. B. Downey. Lognormal and pareto distributions in the internet. Computer Communications, 28(7):790 -- 801, 2005.

Digital Library

[5]

A. Dunkels. Full tcp/ip for 8-bit architectures. In Proceedings of the 1st International Conference on Mobile Systems, Applications and Services, MobiSys '03, pages 85--98, New York, NY, USA, 2003. ACM.

Digital Library

[6]

D. Formby, S. S. Jung, J. Copeland, and R. Beyah. An empirical study of tcp vulnerabilities in critical power system devices. In Proceedings of the 2Nd Workshop on Smart Energy Grid Security, SEGS '14, pages 39--44, New York, NY, USA, 2014. ACM.

Digital Library

[7]

D. Formby, P. Srinivasan, A. Leonard, J. Rogers, and R. Beyah. Who's in control of your control system? device fingerprinting for industrial control system networks. In 2016 Symposium on Network and Distributed System Security (NDSS'16), February 2016.

[8]

C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll, R. Rockell, T. Seely, and S. Diot. Packet-level traffic measurements from the sprint ip backbone. Network, IEEE, 17(6):6--16, Nov 2003.

Digital Library

[9]

ICS-CERT. Icsa-15--295-01, 2015.

[10]

ICS-CERT. Icsa-15--300-01, 2015.

[11]

ICS-CERT. Icsa-16-070-01, 2016.

[12]

V. Jacobson. Congestion avoidance and control. SIGCOMM Comput. Commun. Rev., 18(4):314--329, Aug. 1988.

Digital Library

[13]

S. S. Jung, D. Formby, C. Day, and R. Beyah. A first look at machine-to-machine power grid network traffic. In Smart Grid Communications (SmartGridComm), 2014 IEEE International Conference on, pages 884--889, Nov 2014.

[14]

M. Mathis, J. Mahdavi, S. Floyd, and A. Romanow. Tcp selective acknowledgment options, October 1996. RFC 2018.

Digital Library

[15]

V. Paxson. End-to-end internet packet dynamics. Networking, IEEE/ACM Transactions on, 7(3):277--292, Jun 1999.

Digital Library

[16]

V. Paxson and M. Allman. Computing tcp's retransmission timer, November 2000. RFC 2988.

Digital Library

[17]

V. Paxson, M. Allman, J. Chu, and M. Sargent. Computing tcp's retransmission timer, June 2011. RFC 6298.

[18]

I. Psaras and V. Tsaoussidis. The tcp minimum rto revisited. In IFIP Networking, May 2007.

Digital Library

[19]

M. Z. Shafiq, L. Ji, A. X. Liu, J. Pang, and J. Wang. A first look at cellular machine-to-machine traffic: Large scale measurement and characterization. In Proceedings of the 12th ACM SIGMETRICS/PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS '12, pages 65--76, New York, NY, USA, 2012. ACM.

Digital Library

[20]

Q. Shan, I. Glover, P. Moore, I. Portugues, R. Watson, and R. Rutherford. Performance of zigbee in electricity supply substations. In Wireless Communications, Networking and Mobile Computing, 2007. WiCom 2007. International Conference on, pages 3871--3874, Sept 2007.

[21]

M. Zalewski. p0f v3. http://lcamtuf.coredump.cx/p0f3/. Accessed 2015-11-23.

Cited By

Ortiz NCardenas AWool A(2024)SCADA World: An Exploration of the Diversity in Power Grid NetworksProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36390368:1(1-32)Online publication date: 16-Feb-2024
https://dl.acm.org/doi/10.1145/3639036
Ortiz NRosso MZambon Eden Hartog JCardenas A(2024)From Power to Water: Dissecting SCADA Networks Across Different Critical InfrastructuresPassive and Active Measurement10.1007/978-3-031-56249-5_1(3-31)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56249-5_1
Altaha MHong S(2022)Anomaly Detection for SCADA System Security Based on Unsupervised Learning and Function Codes Analysis in the DNP3 ProtocolElectronics10.3390/electronics1114218411:14(2184)Online publication date: 12-Jul-2022
https://doi.org/10.3390/electronics11142184
Show More Cited By

Index Terms

A Case Study in Power Substation Network Dynamics

Recommendations

A Case Study in Power Substation Network Dynamics
SIGMETRICS '17 Abstracts: Proceedings of the 2017 ACM SIGMETRICS / International Conference on Measurement and Modeling of Computer Systems

The modern world is becoming increasingly dependent on computing and communication technology to function, but unfortunately its application and impact on areas such as critical infrastructure and industrial control system (ICS) networks remains to be ...
A Case Study in Power Substation Network Dynamics
Performance evaluation review

The modern world is becoming increasingly dependent on computing and communication technology to function, but unfortunately its application and impact on areas such as critical infrastructure and industrial control system (ICS) networks remains to be ...
An Empirical Study of TCP Vulnerabilities in Critical Power System Devices
SEGS '14: Proceedings of the 2nd Workshop on Smart Energy Grid Security

Implementations of the TCP/IP protocol suite have been patched for decades to reduce the threat of TCP sequence number prediction attacks. TCP, in particular, has been adopted to many devices in the power grid as a transport layer for their applications ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Measurement and Analysis of Computing Systems

Proceedings of the ACM on Measurement and Analysis of Computing Systems Volume 1, Issue 1

June 2017

712 pages

EISSN:2476-1249

DOI:10.1145/3107080

Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 June 2017

Published in POMACS Volume 1, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
365
Total Downloads

Downloads (Last 12 months)37
Downloads (Last 6 weeks)1

Reflects downloads up to 14 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ortiz NCardenas AWool A(2024)SCADA World: An Exploration of the Diversity in Power Grid NetworksProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36390368:1(1-32)Online publication date: 16-Feb-2024
https://dl.acm.org/doi/10.1145/3639036
Ortiz NRosso MZambon Eden Hartog JCardenas A(2024)From Power to Water: Dissecting SCADA Networks Across Different Critical InfrastructuresPassive and Active Measurement10.1007/978-3-031-56249-5_1(3-31)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56249-5_1
Altaha MHong S(2022)Anomaly Detection for SCADA System Security Based on Unsupervised Learning and Function Codes Analysis in the DNP3 ProtocolElectronics10.3390/electronics1114218411:14(2184)Online publication date: 12-Jul-2022
https://doi.org/10.3390/electronics11142184
Altaha MLee JAslam MHong S(2021)An Autoencoder-Based Network Intrusion Detection System for the SCADA SystemJournal of Communications10.12720/jcm.16.6.210-216(210-216)Online publication date: 2021
https://doi.org/10.12720/jcm.16.6.210-216
Formby DBeyah R(2020)Temporal Execution Behavior for Host Anomaly Detection in Programmable Logic ControllersIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.294089015(1455-1469)Online publication date: 2020
https://doi.org/10.1109/TIFS.2019.2940890
Reuter LJung OMagin J(2020)Neural network based anomaly detection for SCADA systems2020 23rd Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN)10.1109/ICIN48450.2020.9059436(194-201)Online publication date: Feb-2020
https://doi.org/10.1109/ICIN48450.2020.9059436
Irvene CShekari TFormby DBeyah R(2019)If I Knew Then What I Know NowProceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop10.1145/3372318.3372324(48-59)Online publication date: 10-Dec-2019
https://dl.acm.org/doi/10.1145/3372318.3372324
Adepu SKandasamy NZhou JMathur A(2019)Attacks on smart grid: power supply interruption and malicious power generationInternational Journal of Information Security10.1007/s10207-019-00452-zOnline publication date: 4-Jul-2019
https://doi.org/10.1007/s10207-019-00452-z
Adepu SKandasamy NMathur A(2019)EPIC: An Electric Power Testbed for Research and Training in Cyber Physical Systems SecurityComputer Security10.1007/978-3-030-12786-2_3(37-52)Online publication date: 31-Jan-2019
https://doi.org/10.1007/978-3-030-12786-2_3
Lin CNadjm-Tehrani SGollmann DZhou J(2018)Understanding IEC-60870-5-104 Traffic Patterns in SCADA NetworksProceedings of the 4th ACM Workshop on Cyber-Physical System Security10.1145/3198458.3198460(51-60)Online publication date: 22-May-2018
https://dl.acm.org/doi/10.1145/3198458.3198460

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents