An event buffer flooding attack in DNP3 controlled SCADA systems

The DNP3 protocol is widely used in SCADA systems (particularly electrical power) as a means of communicating observed sensor state information back to a control center. Typical architectures using DNP3 have a two level hierarchy, where a specialized data aggregator receives observed state from devices within a local region, and the control center collects the aggregated state from the data aggregator. The DNP3 communications are asynchronous across the two levels; this leads to the possibility of completely filling a data aggregator's buffer of pending events, when a compromised relay sends overly many (false) events to the data aggregator. This paper investigates the attack by implementing the attack using real SCADA system hardware and software. A Discrete-Time Markov Chain (DTMC) model is developed for understanding conditions under which the attack is successful and effective. The model is validated by a Möbius simulation model and data collected on a real SCADA testbed.

[1]  G. Chuanxiong SRR: An O(1) time complexity packet scheduler for flows in multi-service packet networks , 2001, SIGCOMM '01.

[2]  Farhad Nabhani,et al.  Power system DNP3 data object security using data sets , 2010, Comput. Secur..

[3]  Jeffrey L. Hieb,et al.  Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[4]  William H. Sanders,et al.  Stochastic Activity Networks: Structure, Behavior, and Application , 1985, PNPM.

[5]  Sheldon M. Ross,et al.  Stochastic Processes , 2018, Gauge Integral Structures for Stochastic Calculus and Quantum Electrodynamics.

[6]  L. Pietre-Cambacedes,et al.  Cryptographic Key Management for SCADA Systems-Issues and Perspectives , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[7]  A. B. M. Omar Faruk Testing and Exploring Vulnerabilities of the Applications Implementing DNP3 Protocol , 2008 .

[8]  William Shaw,et al.  Cybersecurity for SCADA Systems , 2006 .

[9]  Sujeet Shenoi,et al.  A Taxonomy of Attacks on the DNP3 Protocol , 2009, Critical Infrastructure Protection.

[10]  James H. Graham,et al.  Security Considerations in SCADA Communication Protocols , 2004 .

[11]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[12]  Anujan Varma,et al.  Design and analysis of frame-based fair queueing: a new traffic scheduling algorithm for packet-switched networks , 1996, SIGMETRICS '96.

[13]  Francesco Parisi-Presicce,et al.  DNPSec: Distributed Network Protocol Version 3 (DNP3) Security Framework , 2007 .

[14]  John D. Fernandez,et al.  SCADA systems: vulnerabilities and remediation , 2005 .

[15]  Chuanxiong Guo,et al.  SRR: an O(1) time-complexity packet scheduler for flows in multiservice packet networks , 2004, IEEE/ACM Transactions on Networking.

[16]  Rakesh Bobba,et al.  Design Principles for Power Grid Cyber-Infrastructure Authentication Protocols , 2010, 2010 43rd Hawaii International Conference on System Sciences.